Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News:    Hezbollah Accounts Suspended on Twitter & Facebook Amid Escalation With Israel

Featured Deal: Get Over 90% off a Windscribe Pro VPN Lifetime Subscription Deal

Photo

pws.ldpinchie just won't die

Started by amelchio , Apr 18 2009 11:41 PM

  • This topic is locked This topic is locked
23 replies to this topic

#1 amelchio

amelchio

  • Members
  • 13 posts
  • OFFLINE
    •  
  • Local time:01:49 AM

Posted 18 April 2009 - 11:41 PM

Hello, I'm having trouble getting rid of this little nasty. I have tried running spybot S&D in normal and safe modes, same with my anti virius software, yet every time I restart my computer there it is again. I'm not brilliant with computers and am stumped. Any help would be fantastic. Please find a copy of the DSS reports below and attached. With thanks, amelchio


DDS (Ver_09-03-16.01) - NTFSx86
Run by Adrian at 14:28:30.42 on Sun 04/19/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1161 [GMT 10:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Pen_Tablet.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
C:\WINDOWS\system32\Pen_Tablet.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\common files\installshield\updateservice\isuspm.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\Program Files\Java\jre1.5.0_10\bin\jucheck.exe
C:\DOCUME~1\Adrian\LOCALS~1\Temp\1230050494.exe
C:\DOCUME~1\Adrian\LOCALS~1\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Adrian\Desktop\dds(2).scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uWindow Title = Windows Internet Explorer provided by Comcast
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mWindow Title = Windows Internet Explorer provided by Comcast
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: c:\windows\system32\jh9fgo4ksdgf.dll: {d7bf4552-94f1-42bd-f434-3604812c856d} - c:\windows\system32\jh9fgo4ksdgf.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [OM2_Monitor] "c:\program files\olympus\olympus master 2\MMonitor.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Diagnostic Manager] c:\docume~1\adrian\locals~1\temp\1230050494.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.5.0_10\bin\jusched.exe"
mRun: [Ulead AutoDetector] c:\program files\ulead systems\ulead photo explorer 8.0 se basic\Monitor.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
dRun: [<NO NAME>] c:\windows\temp\pu2zg.exe
dRun: [Windows Resurections] c:\windows\temp\pu2zg.exe
uPolicies-system: DisableRegistryTools = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_10\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: c:\windows\system32\jh9fgo4ksdgf.dll: {d7bf4552-94f1-42bd-f434-3604812c856d} - c:\windows\system32\jh9fgo4ksdgf.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\adrian\applic~1\mozilla\firefox\profiles\qw6rv3go.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJPI150_10.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPOJI610.dll

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-5-1 214024]
R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\adobe\photoshop elements 6.0\PhotoshopElementsFileAgent.exe [2007-9-10 124832]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-9-5 210216]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-5-1 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-5-1 144704]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2009-3-1 1373480]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-5-1 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-5-1 79880]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-5-1 35272]
R3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-5-1 34216]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-5-1 40552]
S3 cdiskdun;cdiskdun;\??\c:\docume~1\adrian\locals~1\temp\cdiskdun.sys --> c:\docume~1\adrian\locals~1\temp\cdiskdun.sys [?]
S3 PAC7311;VGA USB Camera;c:\windows\system32\drivers\PA707UCM.SYS [2007-2-27 155648]

=============== Created Last 30 ================

2009-04-17 18:33 118 a------- c:\windows\system32\MRT.INI
2009-04-17 17:11 284,160 -c------ c:\windows\system32\dllcache\pdh.dll
2009-04-17 17:11 401,408 -c------ c:\windows\system32\dllcache\rpcss.dll
2009-04-17 17:11 110,592 -c------ c:\windows\system32\dllcache\services.exe
2009-04-17 17:11 473,600 -c------ c:\windows\system32\dllcache\fastprox.dll
2009-04-17 17:11 227,840 -c------ c:\windows\system32\dllcache\wmiprvse.exe
2009-04-17 17:11 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-17 17:11 729,088 -c------ c:\windows\system32\dllcache\lsasrv.dll
2009-04-17 17:11 617,472 -c------ c:\windows\system32\dllcache\advapi32.dll
2009-04-17 17:11 714,752 -c------ c:\windows\system32\dllcache\ntdll.dll
2009-04-17 17:10 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-17 17:10 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-04-16 06:53 46 a------- c:\windows\system32\p2hhr.bat
2009-04-16 06:50 15,000 a------- c:\windows\system32\jh9fgo4ksdgf.dll
2009-04-12 00:57 54,156 a---h--- c:\windows\QTFont.qfn
2009-04-12 00:57 1,409 a------- c:\windows\QTFont.for
2009-03-22 00:06 989,696 -c------ c:\windows\system32\dllcache\kernel32.dll

==================== Find3M ====================

2009-04-18 23:58 231,547 a------- c:\windows\system32\nvModes.dat
2009-03-25 11:06 40,552 a------- c:\windows\system32\drivers\mfesmfk.sys
2009-03-25 11:06 214,024 a------- c:\windows\system32\drivers\mfehidk.sys
2009-03-25 11:06 79,880 a------- c:\windows\system32\drivers\mfeavfk.sys
2009-03-25 11:06 35,272 a------- c:\windows\system32\drivers\mfebopk.sys
2009-03-25 11:05 34,216 a------- c:\windows\system32\drivers\mferkdk.sys
2009-03-07 00:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-03 10:18 826,368 a------- c:\windows\system32\wininet.dll
2009-03-01 17:37 43,528 -------- c:\windows\system32\drivers\pxhelp20.sys
2009-03-01 17:31 43,520 a------- c:\windows\system32\CmdLineExt03.dll
2009-02-21 04:09 78,336 a------- c:\windows\system32\ieencode.dll
2009-02-09 22:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 22:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 22:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 22:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 21:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-06 21:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 21:06 2,145,280 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 20:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-06 20:32 2,023,936 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-04 05:59 56,832 a------- c:\windows\system32\secur32.dll
2009-01-27 11:35 129,784 -------- c:\windows\system32\pxafs.dll
2009-01-27 11:35 120,056 -------- c:\windows\system32\pxcpyi64.exe
2009-01-27 11:35 118,520 -------- c:\windows\system32\pxinsi64.exe
2009-01-27 11:34 90,112 a------- c:\windows\system32\dpl100.dll
2009-01-27 11:34 823,296 a------- c:\windows\system32\divx_xx0c.dll
2009-01-27 11:34 823,296 a------- c:\windows\system32\divx_xx07.dll
2009-01-27 11:34 815,104 a------- c:\windows\system32\divx_xx0a.dll
2009-01-27 11:34 802,816 a------- c:\windows\system32\divx_xx11.dll
2009-01-27 11:34 684,032 a------- c:\windows\system32\DivX.dll
2007-10-10 22:14 1,098,222,708 ac------ c:\program files\source materials.gcf
2007-10-10 22:14 1,023,142,824 ac------ c:\program files\source sounds.gcf
2007-10-10 22:14 471,408,852 ac------ c:\program files\source models.gcf
2007-10-10 22:14 1,033,441,492 ac------ c:\program files\portal content.gcf
2007-10-10 22:14 306,105,372 ac------ c:\program files\source 2007 binaries.gcf
2007-10-10 22:14 168,173,116 ac------ c:\program files\portal english.gcf
2007-10-10 22:14 1,032,871,080 ac------ c:\program files\source 2007 shared materials.gcf
2007-10-10 22:14 155,492,024 ac------ c:\program files\source 2007 shared models.gcf
2007-10-10 22:14 2,373,924 ac------ c:\program files\source 2007 shared sounds.gcf
2008-08-15 17:48 16,384 ac-sh--- c:\windows\temp\cookies\index.dat
2008-08-15 17:48 16,384 ac-sh--- c:\windows\temp\history\history.ie5\index.dat
2008-08-15 17:48 32,768 ac-sh--- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 14:28:58.68 ===============

Attached Files


BC AdBot (Login to Remove)

 

#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:49 PM

Posted 19 April 2009 - 07:04 AM

Hi amelchio,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.

Please give me a little time to go through your log and I will also let you know that I am a trainee so each stage of the fix will need to be checked by an expert coach before I post so there may be a slight delay. Don't worry I won't abandon you.
  • Please subscribe to this topic, if you haven't already, and wait for me to get back to you.
  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.
  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 2 days I will bump the topic and if you do not reply by the following day then I will close the topic.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 amelchio

amelchio
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
    •  
  • Local time:01:49 AM

Posted 19 April 2009 - 07:13 AM

Thanks for getting back to me so fast.

I'm all set up on my end and ready to go.

I look forward to hearing from you again.
:thumbup2:

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:49 PM

Posted 19 April 2009 - 09:21 AM

Hi amelchio,

Welcome to Bleeping Computer. Let's see what we can do for you. :)

The log shows that you have been using so called peer-to-peer or file-sharing programmes (in your case Azureus and emule). These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come a long way and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of their malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

----------------------------


Please download gmer.zip and save to your desktop.
  • Extract (unzip) the file to its own folder such as C:\Gmer. (Click here for information on how to do this if not sure.)
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • You may be prompted to scan immediately if GMER detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as gmer.log and copy/paste the contents in your next reply.
  • Exit GMER and re-enable all active protection when done.
Download and Run OTViewit
  • Please download OTViewIt by OldTimer.
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
  • OTViewIt.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
Just to recap, please post the Gmer log and the two OTViewIt logs in your next reply.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#5 amelchio

amelchio
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
    •  
  • Local time:01:49 AM

Posted 19 April 2009 - 07:40 PM

Hello again. First up, I use Linux a fair bit for my university work and with some help got a copy and dual booted my machine. So while you're correct about the copyright comment, I'm fine. Also does the fact that this machine dual boots affect anything?

Anyway, here come the logs.

GMER 1.0.15.14966 - http://www.gmer.net
Rootkit scan 2009-04-20 10:05:43
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xB64244EA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xB6424581]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xB6424498]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xB64244AC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xB6424595]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB64245C1]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xB6424634]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xB6424619]
Code 89CCE2E8 ZwFlushInstructionCache
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB642452A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xB642465E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xB642456D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xB6424470]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xB6424484]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xB64244FE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xB642469A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xB6424603]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xB64245ED]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xB64245AB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xB6424686]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xB6424672]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xB64244D6]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xB64244C2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xB64245D7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB6424559]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xB6424648]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB6424540]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xB6424514]
Code 8A812AE6 IofCallDriver
Code 8A686436 IofCompleteRequest
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!IofCallDriver 804EF1A6 5 Bytes JMP 8A812AEB
.text ntkrnlpa.exe!IofCompleteRequest 804EF236 5 Bytes JMP 8A68643B
.text ntkrnlpa.exe!ZwYieldExecution 80504AE8 7 Bytes JMP B6424518 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 80579084 5 Bytes JMP B64244EE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B2006 7 Bytes JMP B642452E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E14 5 Bytes JMP B6424544 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 805B6812 5 Bytes JMP 89CCE2EC
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B83E6 7 Bytes JMP B6424502 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805CB408 5 Bytes JMP B6424474 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805CB694 5 Bytes JMP B6424488 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805CDE52 5 Bytes JMP B64244C6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D1142 7 Bytes JMP B64244B0 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805D11F8 5 Bytes JMP B642449C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 805D1702 5 Bytes JMP B64244DA \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D29AA 5 Bytes JMP B642455D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryValueKey 806219E8 7 Bytes JMP B64245F1 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 80621D36 7 Bytes JMP B64245DB \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnloadKey 80622060 7 Bytes JMP B642464C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 806228FE 7 Bytes JMP B6424607 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 806231D2 3 Bytes JMP B64245AF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey + 4 806231D6 3 Bytes [35, 90, 90]
PAGE ntkrnlpa.exe!ZwCreateKey 806237B0 5 Bytes JMP B6424585 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 80623C40 7 Bytes JMP B6424599 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 80623E10 7 Bytes JMP B64245C5 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateKey 80623FF0 5 Bytes JMP B6424638 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateValueKey 8062425A 3 Bytes JMP B642461D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateValueKey + 4 8062425E 3 Bytes [35, 90, 90]
PAGE ntkrnlpa.exe!ZwOpenKey 80624B82 5 Bytes JMP B6424571 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryKey 80624EA8 7 Bytes JMP B642469E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRestoreKey 80625168 5 Bytes JMP B6424676 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwReplaceKey 8062585C 5 Bytes JMP B642468A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwNotifyChangeKey 80625976 5 Bytes JMP B6424662 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[652] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D10000
.text C:\WINDOWS\system32\svchost.exe[652] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D10F8D
.text C:\WINDOWS\system32\svchost.exe[652] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D10FA8
.text C:\WINDOWS\system32\svchost.exe[652] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D10076
.text C:\WINDOWS\system32\svchost.exe[652] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D10FB9
.text C:\WINDOWS\system32\svchost.exe[652] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D10FD4
.text C:\WINDOWS\system32\svchost.exe[652] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D100B3
.text C:\WINDOWS\system32\svchost.exe[652] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D10F6B
.text C:\WINDOWS\system32\svchost.exe[652] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D10F2B
.text C:\WINDOWS\system32\svchost.exe[652] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D10F46
.text C:\WINDOWS\system32\svchost.exe[652] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D10F06
.text C:\WINDOWS\system32\svchost.exe[652] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D1005B
.text C:\WINDOWS\system32\svchost.exe[652] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D1001B
.text C:\WINDOWS\system32\svchost.exe[652] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D10F7C
.text C:\WINDOWS\system32\svchost.exe[652] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D10FE5
.text C:\WINDOWS\system32\svchost.exe[652] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D10036
.text C:\WINDOWS\system32\svchost.exe[652] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D100C4
.text C:\WINDOWS\system32\svchost.exe[652] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C1001B
.text C:\WINDOWS\system32\svchost.exe[652] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C10F9B
.text C:\WINDOWS\system32\svchost.exe[652] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C1000A
.text C:\WINDOWS\system32\svchost.exe[652] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C10FD4
.text C:\WINDOWS\system32\svchost.exe[652] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C10058
.text C:\WINDOWS\system32\svchost.exe[652] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C10FEF
.text C:\WINDOWS\system32\svchost.exe[652] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00C10047
.text C:\WINDOWS\system32\svchost.exe[652] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C1002C
.text C:\WINDOWS\system32\svchost.exe[652] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C00FBE
.text C:\WINDOWS\system32\svchost.exe[652] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C00053
.text C:\WINDOWS\system32\svchost.exe[652] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C00FE3
.text C:\WINDOWS\system32\svchost.exe[652] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C00000
.text C:\WINDOWS\system32\svchost.exe[652] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C00042
.text C:\WINDOWS\system32\svchost.exe[652] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C0001D
.text C:\WINDOWS\system32\svchost.exe[652] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BF0000
.text C:\WINDOWS\system32\svchost.exe[652] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 00C20000
.text C:\WINDOWS\system32\svchost.exe[652] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 00C2001B
.text C:\WINDOWS\system32\svchost.exe[652] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 00C2002C
.text C:\WINDOWS\system32\svchost.exe[652] WININET.dll!InternetOpenUrlW 780BAF69 5 Bytes JMP 00C20FE5
.text C:\WINDOWS\system32\services.exe[940] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0004000A
.text C:\WINDOWS\system32\services.exe[940] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00040082
.text C:\WINDOWS\system32\services.exe[940] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00040F8D
.text C:\WINDOWS\system32\services.exe[940] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00040067
.text C:\WINDOWS\system32\services.exe[940] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00040F9E
.text C:\WINDOWS\system32\services.exe[940] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00040039
.text C:\WINDOWS\system32\services.exe[940] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 000400C4
.text C:\WINDOWS\system32\services.exe[940] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 000400A9
.text C:\WINDOWS\system32\services.exe[940] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000400F0
.text C:\WINDOWS\system32\services.exe[940] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00040F57
.text C:\WINDOWS\system32\services.exe[940] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00040101
.text C:\WINDOWS\system32\services.exe[940] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0004004A
.text C:\WINDOWS\system32\services.exe[940] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00040FEF
.text C:\WINDOWS\system32\services.exe[940] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00040F72
.text C:\WINDOWS\system32\services.exe[940] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00040FC3
.text C:\WINDOWS\system32\services.exe[940] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00040FDE
.text C:\WINDOWS\system32\services.exe[940] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 000400D5
.text C:\WINDOWS\system32\services.exe[940] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D60036
.text C:\WINDOWS\system32\services.exe[940] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D60FA8
.text C:\WINDOWS\system32\services.exe[940] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D6001B
.text C:\WINDOWS\system32\services.exe[940] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D60FE5
.text C:\WINDOWS\system32\services.exe[940] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D60065
.text C:\WINDOWS\system32\services.exe[940] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D60000
.text C:\WINDOWS\system32\services.exe[940] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00D60FB9
.text C:\WINDOWS\system32\services.exe[940] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [F6, 88]
.text C:\WINDOWS\system32\services.exe[940] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D60FD4
.text C:\WINDOWS\system32\services.exe[940] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00070FA4
.text C:\WINDOWS\system32\services.exe[940] msvcrt.dll!system 77C293C7 5 Bytes JMP 00070FB5
.text C:\WINDOWS\system32\services.exe[940] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00070FC6
.text C:\WINDOWS\system32\services.exe[940] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00070FEF
.text C:\WINDOWS\system32\services.exe[940] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00070025
.text C:\WINDOWS\system32\services.exe[940] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00070000
.text C:\WINDOWS\system32\services.exe[940] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00060FEF
.text C:\WINDOWS\system32\lsass.exe[952] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BD0FE5
.text C:\WINDOWS\system32\lsass.exe[952] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BD008E
.text C:\WINDOWS\system32\lsass.exe[952] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BD0F99
.text C:\WINDOWS\system32\lsass.exe[952] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BD007D
.text C:\WINDOWS\system32\lsass.exe[952] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BD0062
.text C:\WINDOWS\system32\lsass.exe[952] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BD0036
.text C:\WINDOWS\system32\lsass.exe[952] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BD0F63
.text C:\WINDOWS\system32\lsass.exe[952] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BD00AB
.text C:\WINDOWS\system32\lsass.exe[952] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BD00C6
.text C:\WINDOWS\system32\lsass.exe[952] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BD0F2D
.text C:\WINDOWS\system32\lsass.exe[952] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BD00D7
.text C:\WINDOWS\system32\lsass.exe[952] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BD0051
.text C:\WINDOWS\system32\lsass.exe[952] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BD000A
.text C:\WINDOWS\system32\lsass.exe[952] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BD0F74
.text C:\WINDOWS\system32\lsass.exe[952] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BD0FCA
.text C:\WINDOWS\system32\lsass.exe[952] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BD001B
.text C:\WINDOWS\system32\lsass.exe[952] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BD0F3E
.text C:\WINDOWS\system32\lsass.exe[952] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F8001B
.text C:\WINDOWS\system32\lsass.exe[952] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F80F79
.text C:\WINDOWS\system32\lsass.exe[952] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F80FCA
.text C:\WINDOWS\system32\lsass.exe[952] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F80FDB
.text C:\WINDOWS\system32\lsass.exe[952] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F80F94
.text C:\WINDOWS\system32\lsass.exe[952] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F80000
.text C:\WINDOWS\system32\lsass.exe[952] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00F80FA5
.text C:\WINDOWS\system32\lsass.exe[952] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [18, 89]
.text C:\WINDOWS\system32\lsass.exe[952] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F8002C
.text C:\WINDOWS\system32\lsass.exe[952] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F70064
.text C:\WINDOWS\system32\lsass.exe[952] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F70049
.text C:\WINDOWS\system32\lsass.exe[952] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F70038
.text C:\WINDOWS\system32\lsass.exe[952] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F70000
.text C:\WINDOWS\system32\lsass.exe[952] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F70FD9
.text C:\WINDOWS\system32\lsass.exe[952] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F70011
.text C:\WINDOWS\system32\lsass.exe[952] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F6000A
.text C:\WINDOWS\system32\svchost.exe[1136] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02650000
.text C:\WINDOWS\system32\svchost.exe[1136] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0265007D
.text C:\WINDOWS\system32\svchost.exe[1136] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02650062
.text C:\WINDOWS\system32\svchost.exe[1136] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02650F94
.text C:\WINDOWS\system32\svchost.exe[1136] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02650FAF
.text C:\WINDOWS\system32\svchost.exe[1136] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02650047
.text C:\WINDOWS\system32\svchost.exe[1136] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 026500AE
.text C:\WINDOWS\system32\svchost.exe[1136] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02650F66
.text C:\WINDOWS\system32\svchost.exe[1136] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02650F2D
.text C:\WINDOWS\system32\svchost.exe[1136] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 026500D0
.text C:\WINDOWS\system32\svchost.exe[1136] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02650F1C
.text C:\WINDOWS\system32\svchost.exe[1136] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02650FC0
.text C:\WINDOWS\system32\svchost.exe[1136] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02650011
.text C:\WINDOWS\system32\svchost.exe[1136] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02650F77
.text C:\WINDOWS\system32\svchost.exe[1136] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02650FDB
.text C:\WINDOWS\system32\svchost.exe[1136] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0265002C
.text C:\WINDOWS\system32\svchost.exe[1136] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 026500BF
.text C:\WINDOWS\system32\svchost.exe[1136] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02680014
.text C:\WINDOWS\system32\svchost.exe[1136] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02680051
.text C:\WINDOWS\system32\svchost.exe[1136] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02680FB9
.text C:\WINDOWS\system32\svchost.exe[1136] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02680FDE
.text C:\WINDOWS\system32\svchost.exe[1136] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02680036
.text C:\WINDOWS\system32\svchost.exe[1136] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02680FEF
.text C:\WINDOWS\system32\svchost.exe[1136] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 02680F9E
.text C:\WINDOWS\system32\svchost.exe[1136] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [88, 8A]
.text C:\WINDOWS\system32\svchost.exe[1136] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02680025
.text C:\WINDOWS\system32\svchost.exe[1136] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02670F95
.text C:\WINDOWS\system32\svchost.exe[1136] msvcrt.dll!system 77C293C7 5 Bytes JMP 02670020
.text C:\WINDOWS\system32\svchost.exe[1136] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02670FC1
.text C:\WINDOWS\system32\svchost.exe[1136] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02670FEF
.text C:\WINDOWS\system32\svchost.exe[1136] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02670FB0
.text C:\WINDOWS\system32\svchost.exe[1136] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02670FDE
.text C:\WINDOWS\system32\svchost.exe[1136] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02660FEF
.text C:\WINDOWS\system32\svchost.exe[1136] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 02690FEF
.text C:\WINDOWS\system32\svchost.exe[1136] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 02690FD4
.text C:\WINDOWS\system32\svchost.exe[1136] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 0269000A
.text C:\WINDOWS\system32\svchost.exe[1136] WININET.dll!InternetOpenUrlW 780BAF69 5 Bytes JMP 0269002F
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FB0000
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FB0F72
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FB0F8D
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FB0F9E
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FB005B
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FB0040
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FB009D
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FB0F61
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FB0F15
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FB00AE
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FB0EFA
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FB0FAF
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FB001B
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FB008C
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FB0FD4
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FB0FE5
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FB0F30
.text C:\WINDOWS\system32\svchost.exe[1224] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00FE0FDB
.text C:\WINDOWS\system32\svchost.exe[1224] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00FE0F8A
.text C:\WINDOWS\system32\svchost.exe[1224] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00FE0022
.text C:\WINDOWS\system32\svchost.exe[1224] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00FE0011
.text C:\WINDOWS\system32\svchost.exe[1224] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00FE0FA5
.text C:\WINDOWS\system32\svchost.exe[1224] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00FE0000
.text C:\WINDOWS\system32\svchost.exe[1224] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00FE0047
.text C:\WINDOWS\system32\svchost.exe[1224] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00FE0FC0
.text C:\WINDOWS\system32\svchost.exe[1224] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FD0FD9
.text C:\WINDOWS\system32\svchost.exe[1224] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FD0064
.text C:\WINDOWS\system32\svchost.exe[1224] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FD002E
.text C:\WINDOWS\system32\svchost.exe[1224] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FD000C
.text C:\WINDOWS\system32\svchost.exe[1224] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FD0049
.text C:\WINDOWS\system32\svchost.exe[1224] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FD001D
.text C:\WINDOWS\system32\svchost.exe[1224] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FC0FEF
.text C:\WINDOWS\system32\svchost.exe[1224] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 00FF000A
.text C:\WINDOWS\system32\svchost.exe[1224] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 00FF0FEF
.text C:\WINDOWS\system32\svchost.exe[1224] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 00FF0025
.text C:\WINDOWS\system32\svchost.exe[1224] WININET.dll!InternetOpenUrlW 780BAF69 5 Bytes JMP 00FF0FDE
.text C:\WINDOWS\System32\svchost.exe[1408] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02DA000A
.text C:\WINDOWS\System32\svchost.exe[1408] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02DA0F77
.text C:\WINDOWS\System32\svchost.exe[1408] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02DA0F88
.text C:\WINDOWS\System32\svchost.exe[1408] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02DA0062
.text C:\WINDOWS\System32\svchost.exe[1408] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02DA0047
.text C:\WINDOWS\System32\svchost.exe[1408] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02DA0FC0
.text C:\WINDOWS\System32\svchost.exe[1408] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02DA0F35
.text C:\WINDOWS\System32\svchost.exe[1408] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02DA007D
.text C:\WINDOWS\System32\svchost.exe[1408] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02DA0EFF
.text C:\WINDOWS\System32\svchost.exe[1408] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02DA0F10
.text C:\WINDOWS\System32\svchost.exe[1408] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02DA0EE4
.text C:\WINDOWS\System32\svchost.exe[1408] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02DA0FA5
.text C:\WINDOWS\System32\svchost.exe[1408] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02DA001B
.text C:\WINDOWS\System32\svchost.exe[1408] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02DA0F52
.text C:\WINDOWS\System32\svchost.exe[1408] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02DA002C
.text C:\WINDOWS\System32\svchost.exe[1408] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02DA0FDB
.text C:\WINDOWS\System32\svchost.exe[1408] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02DA008E
.text C:\WINDOWS\System32\svchost.exe[1408] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 03590047
.text C:\WINDOWS\System32\svchost.exe[1408] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 03590FAC
.text C:\WINDOWS\System32\svchost.exe[1408] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0359002C
.text C:\WINDOWS\System32\svchost.exe[1408] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0359001B
.text C:\WINDOWS\System32\svchost.exe[1408] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 03590069
.text C:\WINDOWS\System32\svchost.exe[1408] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 03590000
.text C:\WINDOWS\System32\svchost.exe[1408] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 03590058
.text C:\WINDOWS\System32\svchost.exe[1408] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 03590FD1
.text C:\WINDOWS\System32\svchost.exe[1408] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02EC003D
.text C:\WINDOWS\System32\svchost.exe[1408] msvcrt.dll!system 77C293C7 5 Bytes JMP 02EC002C
.text C:\WINDOWS\System32\svchost.exe[1408] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02EC0FCD
.text C:\WINDOWS\System32\svchost.exe[1408] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02EC0FEF
.text C:\WINDOWS\System32\svchost.exe[1408] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02EC0FB2
.text C:\WINDOWS\System32\svchost.exe[1408] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02EC0FDE
.text C:\WINDOWS\System32\svchost.exe[1408] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02DB0000
.text C:\WINDOWS\System32\svchost.exe[1408] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 035A0000
.text C:\WINDOWS\System32\svchost.exe[1408] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 035A0011
.text C:\WINDOWS\System32\svchost.exe[1408] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 035A0FE5
.text C:\WINDOWS\System32\svchost.exe[1408] WININET.dll!InternetOpenUrlW 780BAF69 5 Bytes JMP 035A0FCA
.text C:\WINDOWS\system32\svchost.exe[1660] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A50FEF
.text C:\WINDOWS\system32\svchost.exe[1660] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A50F8D
.text C:\WINDOWS\system32\svchost.exe[1660] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A50F9E
.text C:\WINDOWS\system32\svchost.exe[1660] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A50FB9
.text C:\WINDOWS\system32\svchost.exe[1660] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A50076
.text C:\WINDOWS\system32\svchost.exe[1660] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A50036
.text C:\WINDOWS\system32\svchost.exe[1660] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A500D5
.text C:\WINDOWS\system32\svchost.exe[1660] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A500C4
.text C:\WINDOWS\system32\svchost.exe[1660] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A50F61
.text C:\WINDOWS\system32\svchost.exe[1660] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A50F72
.text C:\WINDOWS\system32\svchost.exe[1660] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A50115
.text C:\WINDOWS\system32\svchost.exe[1660] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A5005B
.text C:\WINDOWS\system32\svchost.exe[1660] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A5000A
.text C:\WINDOWS\system32\svchost.exe[1660] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A500A7
.text C:\WINDOWS\system32\svchost.exe[1660] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A50FCA
.text C:\WINDOWS\system32\svchost.exe[1660] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A5001B
.text C:\WINDOWS\system32\svchost.exe[1660] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A500F0
.text C:\WINDOWS\system32\svchost.exe[1660] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00A30FDE
.text C:\WINDOWS\system32\svchost.exe[1660] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00A3006C
.text C:\WINDOWS\system32\svchost.exe[1660] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00A3002F
.text C:\WINDOWS\system32\svchost.exe[1660] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00A3000A
.text C:\WINDOWS\system32\svchost.exe[1660] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00A30FAF
.text C:\WINDOWS\system32\svchost.exe[1660] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00A30FEF
.text C:\WINDOWS\system32\svchost.exe[1660] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00A30051
.text C:\WINDOWS\system32\svchost.exe[1660] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00A30040
.text C:\WINDOWS\system32\svchost.exe[1660] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A20036
.text C:\WINDOWS\system32\svchost.exe[1660] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A20FB5
.text C:\WINDOWS\system32\svchost.exe[1660] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A20000
.text C:\WINDOWS\system32\svchost.exe[1660] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A20FEF
.text C:\WINDOWS\system32\svchost.exe[1660] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A2001B
.text C:\WINDOWS\system32\svchost.exe[1660] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A20FC6
.text C:\WINDOWS\system32\svchost.exe[1660] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00660FE5
.text C:\WINDOWS\system32\svchost.exe[1660] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 00A40000
.text C:\WINDOWS\system32\svchost.exe[1660] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 00A4001B
.text C:\WINDOWS\system32\svchost.exe[1660] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 00A4002C
.text C:\WINDOWS\system32\svchost.exe[1660] WININET.dll!InternetOpenUrlW 780BAF69 5 Bytes JMP 00A4003D
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1852] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1852] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\Explorer.EXE[1964] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01670FEF
.text C:\WINDOWS\Explorer.EXE[1964] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01670F83
.text C:\WINDOWS\Explorer.EXE[1964] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01670082
.text C:\WINDOWS\Explorer.EXE[1964] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01670FA8
.text C:\WINDOWS\Explorer.EXE[1964] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01670065
.text C:\WINDOWS\Explorer.EXE[1964] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01670FB9
.text C:\WINDOWS\Explorer.EXE[1964] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 016700AE
.text C:\WINDOWS\Explorer.EXE[1964] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01670F68
.text C:\WINDOWS\Explorer.EXE[1964] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01670F37
.text C:\WINDOWS\Explorer.EXE[1964] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 016700D0
.text C:\WINDOWS\Explorer.EXE[1964] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 016700E1
.text C:\WINDOWS\Explorer.EXE[1964] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0167004A
.text C:\WINDOWS\Explorer.EXE[1964] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0167000A
.text C:\WINDOWS\Explorer.EXE[1964] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01670093
.text C:\WINDOWS\Explorer.EXE[1964] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01670FD4
.text C:\WINDOWS\Explorer.EXE[1964] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01670025
.text C:\WINDOWS\Explorer.EXE[1964] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 016700BF
.text C:\WINDOWS\Explorer.EXE[1964] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01650F9E
.text C:\WINDOWS\Explorer.EXE[1964] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01650014
.text C:\WINDOWS\Explorer.EXE[1964] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01650FB9
.text C:\WINDOWS\Explorer.EXE[1964] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01650FD4
.text C:\WINDOWS\Explorer.EXE[1964] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01650F57
.text C:\WINDOWS\Explorer.EXE[1964] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01650FEF
.text C:\WINDOWS\Explorer.EXE[1964] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01650F7C
.text C:\WINDOWS\Explorer.EXE[1964] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [85, 89]
.text C:\WINDOWS\Explorer.EXE[1964] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01650F8D
.text C:\WINDOWS\Explorer.EXE[1964] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0164003D
.text C:\WINDOWS\Explorer.EXE[1964] msvcrt.dll!system 77C293C7 5 Bytes JMP 01640022
.text C:\WINDOWS\Explorer.EXE[1964] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01640011
.text C:\WINDOWS\Explorer.EXE[1964] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01640FEF
.text C:\WINDOWS\Explorer.EXE[1964] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01640FB2
.text C:\WINDOWS\Explorer.EXE[1964] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01640000
.text C:\WINDOWS\Explorer.EXE[1964] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 01660000
.text C:\WINDOWS\Explorer.EXE[1964] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 01660011
.text C:\WINDOWS\Explorer.EXE[1964] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 0166002C
.text C:\WINDOWS\Explorer.EXE[1964] WININET.dll!InternetOpenUrlW 780BAF69 5 Bytes JMP 01660FE5
.text C:\WINDOWS\Explorer.EXE[1964] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01770000
.text C:\WINDOWS\system32\svchost.exe[1976] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0118000A
.text C:\WINDOWS\system32\svchost.exe[1976] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01180F79
.text C:\WINDOWS\system32\svchost.exe[1976] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01180F94
.text C:\WINDOWS\system32\svchost.exe[1976] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01180062
.text C:\WINDOWS\system32\svchost.exe[1976] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01180051
.text C:\WINDOWS\system32\svchost.exe[1976] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01180FCA
.text C:\WINDOWS\system32\svchost.exe[1976] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 0118009F
.text C:\WINDOWS\system32\svchost.exe[1976] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01180F57
.text C:\WINDOWS\system32\svchost.exe[1976] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01180F2B
.text C:\WINDOWS\system32\svchost.exe[1976] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01180F3C
.text C:\WINDOWS\system32\svchost.exe[1976] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 011800DF
.text C:\WINDOWS\system32\svchost.exe[1976] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01180FB9
.text C:\WINDOWS\system32\svchost.exe[1976] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0118001B
.text C:\WINDOWS\system32\svchost.exe[1976] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01180F68
.text C:\WINDOWS\system32\svchost.exe[1976] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01180FE5
.text C:\WINDOWS\system32\svchost.exe[1976] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01180036
.text C:\WINDOWS\system32\svchost.exe[1976] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 011800BA
.text C:\WINDOWS\system32\svchost.exe[1976] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01160039
.text C:\WINDOWS\system32\svchost.exe[1976] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0116006F
.text C:\WINDOWS\system32\svchost.exe[1976] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01160FDE
.text C:\WINDOWS\system32\svchost.exe[1976] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01160FEF
.text C:\WINDOWS\system32\svchost.exe[1976] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01160FBC
.text C:\WINDOWS\system32\svchost.exe[1976] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 0116000A
.text C:\WINDOWS\system32\svchost.exe[1976] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01160054
.text C:\WINDOWS\system32\svchost.exe[1976] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01160FCD
.text C:\WINDOWS\system32\svchost.exe[1976] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01150F89
.text C:\WINDOWS\system32\svchost.exe[1976] msvcrt.dll!system 77C293C7 5 Bytes JMP 01150FA4
.text C:\WINDOWS\system32\svchost.exe[1976] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0115000A
.text C:\WINDOWS\system32\svchost.exe[1976] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01150FE3
.text C:\WINDOWS\system32\svchost.exe[1976] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01150FB5
.text C:\WINDOWS\system32\svchost.exe[1976] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01150FD2
.text C:\WINDOWS\system32\svchost.exe[1976] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01140FEF
.text C:\WINDOWS\system32\svchost.exe[1976] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 01170000
.text C:\WINDOWS\system32\svchost.exe[1976] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 01170FEF
.text C:\WINDOWS\system32\svchost.exe[1976] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 01170FDE
.text C:\WINDOWS\system32\svchost.exe[1976] WININET.dll!InternetOpenUrlW 780BAF69 5 Bytes JMP 01170025
.text C:\WINDOWS\system32\svchost.exe[2100] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D70FEF
.text C:\WINDOWS\system32\svchost.exe[2100] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D7009D
.text C:\WINDOWS\system32\svchost.exe[2100] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D70FB2
.text C:\WINDOWS\system32\svchost.exe[2100] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D70080
.text C:\WINDOWS\system32\svchost.exe[2100] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D7006F
.text C:\WINDOWS\system32\svchost.exe[2100] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D7004A
.text C:\WINDOWS\system32\svchost.exe[2100] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D700C4
.text C:\WINDOWS\system32\svchost.exe[2100] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D70F7C
.text C:\WINDOWS\system32\svchost.exe[2100] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D7010B
.text C:\WINDOWS\system32\svchost.exe[2100] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D700FA
.text C:\WINDOWS\system32\svchost.exe[2100] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D7011C
.text C:\WINDOWS\system32\svchost.exe[2100] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D70FCD
.text C:\WINDOWS\system32\svchost.exe[2100] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D70FDE
.text C:\WINDOWS\system32\svchost.exe[2100] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D70F8D
.text C:\WINDOWS\system32\svchost.exe[2100] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D7002F
.text C:\WINDOWS\system32\svchost.exe[2100] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D7001E
.text C:\WINDOWS\system32\svchost.exe[2100] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D700DF
.text C:\WINDOWS\system32\svchost.exe[2100] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D5002F
.text C:\WINDOWS\system32\svchost.exe[2100] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D50F8A
.text C:\WINDOWS\system32\svchost.exe[2100] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D50FD4
.text C:\WINDOWS\system32\svchost.exe[2100] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D50FE5
.text C:\WINDOWS\system32\svchost.exe[2100] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D50FAF
.text C:\WINDOWS\system32\svchost.exe[2100] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D50000
.text C:\WINDOWS\system32\svchost.exe[2100] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00D50051
.text C:\WINDOWS\system32\svchost.exe[2100] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D50040
.text C:\WINDOWS\system32\svchost.exe[2100] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D4004E
.text C:\WINDOWS\system32\svchost.exe[2100] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D4003D
.text C:\WINDOWS\system32\svchost.exe[2100] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D40022
.text C:\WINDOWS\system32\svchost.exe[2100] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D40000
.text C:\WINDOWS\system32\svchost.exe[2100] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D40FCD
.text C:\WINDOWS\system32\svchost.exe[2100] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D40011
.text C:\WINDOWS\system32\svchost.exe[2100] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D3000A
.text C:\WINDOWS\system32\svchost.exe[2100] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 00D60FE5
.text C:\WINDOWS\system32\svchost.exe[2100] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 00D60FD4
.text C:\WINDOWS\system32\svchost.exe[2100] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 00D60FC3
.text C:\WINDOWS\system32\svchost.exe[2100] WININET.dll!InternetOpenUrlW 780BAF69 5 Bytes JMP 00D60FB2
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2872] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00270FEF
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2872] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00270F66
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2872] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0027005B
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2872] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00270F81
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2872] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00270040
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2872] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00270FAF
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2872] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00270091
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2872] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00270076
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2872] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 002700BD
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2872] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 002700A2
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2872] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00270F09
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2872] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00270F9E
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2872] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0027000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2872] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00270F55
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2872] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0027001B
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2872] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00270FD4
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2872] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00270F24
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2872] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00360FCD
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2872] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0036004A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2872] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00360FDE
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2872] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00360014
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2872] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00360039
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2872] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00360FEF
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2872] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00360F97
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2872] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [56, 88]
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2872] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00360FBC
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2872] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 408BF341 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2872] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 40A51777 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2872] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 40A516F8 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2872] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 40A5173C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2872] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 40A51684 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2872] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 40A516BE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2872] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 40A517B2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2872] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 408E16B6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2872] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00370F9E
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2872] msvcrt.dll!system 77C293C7 5 Bytes JMP 00370FAF
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2872] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00370FDE
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2872] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00370FEF
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2872] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00370029
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2872] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00370018
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2872] WININET.dll!InternetCloseHandle 7805DA59 5 Bytes JMP 00C4000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2872] WININET.dll!HttpOpenRequestA 78064321 5 Bytes JMP 00CD000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2872] WININET.dll!InternetConnectA 7806497A 5 Bytes JMP 00C2000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2872] WININET.dll!InternetConnectW 78065B68 5 Bytes JMP 00C3000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2872] WININET.dll!HttpOpenRequestW 78065D42 5 Bytes JMP 00CE000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2872] WININET.dll!InternetReadFile 7806ABB4 5 Bytes JMP 00C6000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2872] WININET.dll!InternetQueryDataAvailable 7806ADF5 5 Bytes JMP 00C5000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2872] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 009A0000
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2872] WININET.dll!HttpSendRequestA 7806CD40 5 Bytes JMP 00CB000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2872] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 009A0FE5
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2872] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 009A0FD4
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2872] WININET.dll!InternetSetStatusCallback 7807288F 5 Bytes JMP 00C9000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2872] WININET.dll!HttpSendRequestW 7808082D 5 Bytes JMP 00CC000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2872] WININET.dll!InternetReadFileExW 78082AB2 5 Bytes JMP 00C8000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2872] WININET.dll!InternetReadFileExA 78082AEA 5 Bytes JMP 00C7000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2872] WININET.dll!InternetOpenUrlW 780BAF69 5 Bytes JMP 009A0FC3
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2872] WININET.dll!InternetSetStatusCallbackW 780BB148 5 Bytes JMP 00CA000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2872] ws2_32.dll!socket 71AB4211 5 Bytes JMP 02650000
.text C:\Program Files\Messenger\msmsgs.exe[3636] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001B0000
.text C:\Program Files\Messenger\msmsgs.exe[3636] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001B0075
.text C:\Program Files\Messenger\msmsgs.exe[3636] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001B0064
.text C:\Program Files\Messenger\msmsgs.exe[3636] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001B0F8A
.text C:\Program Files\Messenger\msmsgs.exe[3636] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001B0F9B
.text C:\Program Files\Messenger\msmsgs.exe[3636] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001B0FB6
.text C:\Program Files\Messenger\msmsgs.exe[3636] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001B00A1
.text C:\Program Files\Messenger\msmsgs.exe[3636] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001B0090
.text C:\Program Files\Messenger\msmsgs.exe[3636] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001B0F2D
.text C:\Program Files\Messenger\msmsgs.exe[3636] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001B0F3E
.text C:\Program Files\Messenger\msmsgs.exe[3636] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001B0F1C
.text C:\Program Files\Messenger\msmsgs.exe[3636] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001B0047
.text C:\Program Files\Messenger\msmsgs.exe[3636] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001B0011
.text C:\Program Files\Messenger\msmsgs.exe[3636] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001B0F65
.text C:\Program Files\Messenger\msmsgs.exe[3636] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001B0022
.text C:\Program Files\Messenger\msmsgs.exe[3636] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001B0FDB
.text C:\Program Files\Messenger\msmsgs.exe[3636] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001B00BC
.text C:\Program Files\Messenger\msmsgs.exe[3636] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002A0FB0
.text C:\Program Files\Messenger\msmsgs.exe[3636] msvcrt.dll!system 77C293C7 5 Bytes JMP 002A0FC1
.text C:\Program Files\Messenger\msmsgs.exe[3636] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002A000C
.text C:\Program Files\Messenger\msmsgs.exe[3636] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002A0FE3
.text C:\Program Files\Messenger\msmsgs.exe[3636] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002A0027
.text C:\Program Files\Messenger\msmsgs.exe[3636] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002A0FD2
.text C:\Program Files\Messenger\msmsgs.exe[3636] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002B0025
.text C:\Program Files\Messenger\msmsgs.exe[3636] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002B0FA5
.text C:\Program Files\Messenger\msmsgs.exe[3636] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002B0FD4
.text C:\Program Files\Messenger\msmsgs.exe[3636] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002B000A
.text C:\Program Files\Messenger\msmsgs.exe[3636] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002B006C
.text C:\Program Files\Messenger\msmsgs.exe[3636] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002B0FE5
.text C:\Program Files\Messenger\msmsgs.exe[3636] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 002B0051
.text C:\Program Files\Messenger\msmsgs.exe[3636] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002B0040
.text C:\Program Files\Messenger\msmsgs.exe[3636] WS2_32.dll!socket 71AB4211 5 Bytes JMP 002C0FEF
.text C:\Program Files\Messenger\msmsgs.exe[3636] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 002D0FE5
.text C:\Program Files\Messenger\msmsgs.exe[3636] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 002D0000
.text C:\Program Files\Messenger\msmsgs.exe[3636] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 002D0FCA
.text C:\Program Files\Messenger\msmsgs.exe[3636] WININET.dll!InternetOpenUrlW 780BAF69 5 Bytes JMP 002D0011

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- EOF - GMER 1.0.15 ----

OTViewIt logfile created on: 4/20/2009 10:30:45 AM - Run 3
OTViewIt by OldTimer - Version 1.0.21.0 Folder = C:\Documents and Settings\Adrian\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.20 Gb Available Physical Memory | 60.08% Memory free
3.85 Gb Paging File | 3.20 Gb Available in Paging File | 83.31% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 68.36 Gb Total Space | 15.55 Gb Free Space | 22.75% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: VALINDRA
Current User Name: Adrian
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days

========== Processes ==========

[2005/12/28 10:45:02 | 00,114,753 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
[2005/12/28 10:47:10 | 00,540,745 | ---- | M] (Intel Corporation ) -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
[2005/12/28 11:04:56 | 00,262,217 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
[2007/09/10 23:45:04 | 00,124,832 | ---- | M] () -- C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
[2009/02/11 10:06:36 | 00,210,216 | ---- | M] () -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
[2009/01/08 19:30:26 | 00,797,864 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe
[2009/01/09 10:31:16 | 02,482,848 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
[2009/01/09 07:06:52 | 00,359,952 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
[2009/03/25 11:05:48 | 00,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe
[2006/08/03 17:50:46 | 00,380,928 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
[2007/12/11 13:06:00 | 00,155,716 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe
[2005/12/28 10:44:24 | 00,217,164 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
[2007/01/08 22:39:44 | 00,171,040 | ---- | M] () -- C:\Program Files\CyberLink\Shared Files\RichVideo.exe
[2005/01/14 08:32:00 | 00,053,248 | ---- | M] () -- C:\WINDOWS\system32\PAStiSvc.exe
[2007/09/08 04:16:18 | 01,373,480 | ---- | M] (Wacom Technology, Corp.) -- C:\WINDOWS\system32\Pen_Tablet.exe
[2004/03/13 03:04:16 | 00,049,152 | ---- | M] (Ulead Systems, Inc.) -- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
[2007/09/08 04:16:50 | 00,132,392 | ---- | M] (Wacom Technology, Corp.) -- C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
[2007/09/08 04:16:18 | 01,373,480 | ---- | M] (Wacom Technology, Corp.) -- C:\WINDOWS\system32\Pen_Tablet.exe
[2009/01/08 19:30:26 | 00,645,328 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee.com\Agent\mcagent.exe
[2009/02/06 20:10:02 | 00,227,840 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\wmiprvse.exe
[2005/03/16 04:33:00 | 00,127,037 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\dla\tfswctrl.exe
[2005/08/11 15:30:30 | 00,081,920 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
[2005/12/28 10:55:40 | 00,667,718 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
[2005/12/28 10:56:16 | 00,602,182 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe
[2008/04/14 10:12:33 | 00,033,280 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\rundll32.exe
[2006/08/03 17:51:42 | 01,032,192 | ---- | M] (Dell Inc) -- C:\Program Files\Dell\QuickSet\quickset.exe
[2006/03/24 16:30:44 | 00,282,624 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\stsystra.exe
[2006/03/08 11:48:02 | 00,761,947 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
[2006/11/09 14:07:30 | 00,049,263 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
[2003/11/18 16:20:46 | 00,045,056 | ---- | M] (Ulead Systems, Inc.) -- C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\monitor.exe
[2006/09/01 15:57:48 | 00,282,624 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\QuickTime\qttask.exe
[2007/01/08 22:26:08 | 00,068,640 | ---- | M] (Cyberlink Corp.) -- C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
[2007/03/09 11:09:58 | 00,063,712 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
[2008/04/27 18:29:15 | 00,185,896 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
[2008/04/14 10:12:33 | 00,033,280 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\rundll32.exe
[2007/08/03 15:43:27 | 00,068,856 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[2007/02/08 20:43:14 | 00,095,800 | ---- | M] (OLYMPUS IMAGING CORP.) -- C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe
[2008/04/14 10:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe
[2005/12/28 10:52:32 | 00,397,381 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
[2009/02/28 14:54:41 | 00,636,072 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
[2009/03/19 11:42:02 | 00,884,360 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MpfSrv.exe
[2009/03/24 00:03:18 | 00,606,736 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe
[2009/03/05 16:07:20 | 02,260,480 | RHS- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
[2009/03/31 14:35:13 | 00,307,704 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
[2009/04/20 10:10:41 | 00,021,505 | ---- | M] () -- C:\Documents and Settings\Adrian\Local Settings\Temp\1616398694.exe
[2008/04/14 10:12:29 | 00,069,120 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\notepad.exe
[2009/04/20 10:07:36 | 00,422,912 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Adrian\Desktop\OTViewIt.exe

========== (O23) Win32 Services ==========

[2007/09/10 23:45:04 | 00,124,832 | ---- | M] () -- C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe -- (AdobeActiveFileMonitor6.0 [Auto | Running])
[2007/10/24 01:47:22 | 00,033,800 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
[2007/10/24 01:47:40 | 00,070,144 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
[2005/12/28 10:45:02 | 00,114,753 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe -- (EvtEng [Auto | Running])
[2009/03/01 17:43:01 | 00,654,848 | ---- | M] (Macrovision Europe Ltd.) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service [On_Demand | Stopped])
[2007/10/09 11:58:12 | 00,036,864 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
[2009/01/16 16:21:40 | 00,137,200 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc [On_Demand | Stopped])
[2007/10/11 08:55:10 | 00,864,256 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
[2009/02/11 10:06:36 | 00,210,216 | ---- | M] () -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service [Auto | Running])
[2009/01/08 19:30:26 | 00,797,864 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc [Auto | Running])
[2009/01/09 10:31:16 | 02,482,848 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe -- (McNASvc [Auto | Running])
[2009/04/01 14:21:30 | 00,365,072 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS [On_Demand | Stopped])
[2009/01/09 07:06:52 | 00,359,952 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy [Auto | Running])
[2009/03/25 11:05:48 | 00,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe -- (McShield [Unknown | Running])
[2009/03/24 00:03:18 | 00,606,736 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon [On_Demand | Running])
[2009/03/19 11:42:02 | 00,884,360 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MpfSrv.exe -- (MpfService [On_Demand | Running])
[2007/10/11 08:55:14 | 00,122,880 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
[2006/08/03 17:50:46 | 00,380,928 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\QuickSet\NicConfigSvc.exe -- (NICCONFIGSVC [Auto | Running])
[2007/12/11 13:06:00 | 00,155,716 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc [Auto | Running])
[2003/07/28 11:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
[2005/12/28 10:44:24 | 00,217,164 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe -- (RegSrvc [Auto | Running])
[2007/01/08 22:39:44 | 00,171,040 | ---- | M] () -- C:\Program Files\CyberLink\Shared Files\RichVideo.exe -- (RichVideo [Auto | Running])
[2005/12/28 10:47:10 | 00,540,745 | ---- | M] (Intel Corporation ) -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe -- (S24EventMonitor [Auto | Running])
[2005/01/14 08:32:00 | 00,053,248 | ---- | M] () -- C:\WINDOWS\system32\PAStiSvc.exe -- (STI Simulator [Auto | Running])
[2007/09/08 04:16:18 | 01,373,480 | ---- | M] (Wacom Technology, Corp.) -- C:\WINDOWS\system32\Pen_Tablet.exe -- (TabletServicePen [Auto | Running])
[2004/03/13 03:04:16 | 00,049,152 | ---- | M] (Ulead Systems, Inc.) -- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe -- (UleadBurningHelper [Auto | Running])
[2005/12/28 11:04:56 | 00,262,217 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe -- (WLANKEEPER [Auto | Running])
[2006/10/18 20:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])

========== Driver Services ==========

[2007/02/07 13:35:45 | 00,021,275 | ---- | M] (Meetinghouse Data Communications) -- C:\WINDOWS\system32\drivers\AegisP.sys -- (AegisP [Auto | Running])
[2005/08/12 16:50:46 | 00,016,128 | ---- | M] (Dell Inc) -- C:\WINDOWS\system32\drivers\APPDRV.SYS -- (APPDRV [System | Running])
[1997/12/23 13:02:46 | 00,023,936 | ---- | M] (Adaptec) -- C:\WINDOWS\System32\drivers\aspi32.sys -- (Aspi32 [Auto | Running])
[2007/07/18 10:38:43 | 00,278,728 | ---- | M] () -- C:\WINDOWS\system32\drivers\atksgt.sys -- (atksgt [Auto | Running])
[2006/08/17 07:55:16 | 00,044,544 | R--- | M] (Broadcom Corporation) -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys -- (bcm4sbxp [On_Demand | Running])
[2004/12/14 07:14:00 | 00,039,904 | ---- | M] (Adaptec, Inc.) -- C:\WINDOWS\System32\drivers\cercsr6.sys -- (cercsr6 [Boot | Stopped])
[2005/02/02 02:22:00 | 00,088,080 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\drivers\drvmcdb.sys -- (drvmcdb [Boot | Running])
[2004/12/23 01:56:00 | 00,040,544 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\drivers\drvnddm.sys -- (drvnddm [Auto | Running])
[2008/04/14 02:36:05 | 00,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus [On_Demand | Running])
[2005/12/01 00:40:56 | 00,936,960 | ---- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\system32\drivers\HSX_DPV.sys -- (HSF_DPV [On_Demand | Running])
[2005/12/01 00:40:12 | 00,192,512 | ---- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\system32\drivers\HSXHWAZL.sys -- (HSXHWAZL [On_Demand | Running])
[2008/04/14 04:39:48 | 00,014,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\kbdhid.sys -- (kbdhid [System | Running])
[2007/07/18 10:38:43 | 00,025,416 | ---- | M] () -- C:\WINDOWS\system32\drivers\lirsgt.sys -- (lirsgt [Auto | Running])
[2005/10/04 22:57:08 | 00,012,544 | ---- | M] (Conexant) -- C:\WINDOWS\system32\drivers\mdmxsdk.sys -- (mdmxsdk [Auto | Running])
[2009/03/25 11:06:28 | 00,079,880 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk [On_Demand | Running])
[2009/03/25 11:06:28 | 00,035,272 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk [On_Demand | Running])
[2009/03/25 11:06:28 | 00,214,024 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk [System | Running])
[2009/03/25 11:05:54 | 00,034,216 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mferkdk.sys -- (mferkdk [On_Demand | Stopped])
[2009/03/25 11:06:30 | 00,040,552 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mfesmfk.sys -- (mfesmfk [On_Demand | Running])
[2008/10/23 12:08:54 | 00,120,136 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\Mpfp.sys -- (MPFP [System | Running])
[2007/12/11 13:06:00 | 07,438,624 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv [On_Demand | Running])
[2006/04/13 16:28:28 | 00,155,648 | ---- | M] (PixArt Imaging Inc.) -- C:\WINDOWS\system32\drivers\PA707UCM.SYS -- (PAC7311 [On_Demand | Stopped])
[2004/08/04 20:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink [On_Demand | Running])
[2009/03/01 17:37:49 | 00,043,528 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\drivers\pxhelp20.sys -- (PxHelp20 [Boot | Running])
[2005/07/14 17:58:14 | 00,028,544 | ---- | M] (REDC) -- C:\WINDOWS\system32\drivers\rimmptsk.sys -- (rimmptsk [On_Demand | Running])
[2005/07/12 18:00:30 | 00,051,328 | ---- | M] (REDC) -- C:\WINDOWS\system32\drivers\rimsptsk.sys -- (rimsptsk [On_Demand | Running])
[2005/07/14 16:28:38 | 00,307,968 | ---- | M] (REDC) -- C:\WINDOWS\system32\drivers\rixdptsk.sys -- (rismxdp [On_Demand | Running])
[2005/12/28 12:22:08 | 00,013,568 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans [Auto | Running])
[2008/04/14 04:36:44 | 00,079,232 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\sdbus.sys -- (sdbus [On_Demand | Running])
[2007/11/13 20:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv [Auto | Running])
[2004/12/02 10:04:20 | 00,005,627 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\drivers\sscdbhk5.sys -- (sscdbhk5 [System | Running])
[2004/12/02 10:04:10 | 00,023,545 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\drivers\ssrtln.sys -- (ssrtln [System | Running])
[2006/03/24 16:34:30 | 01,156,648 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA [On_Demand | Running])
[2006/03/08 11:35:10 | 00,191,872 | ---- | M] (Synaptics, Inc.) -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP [On_Demand | Running])
[2005/03/16 04:33:00 | 00,025,725 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\dla\tfsnboio.sys -- (tfsnboio [Auto | Running])
[2005/03/16 04:33:00 | 00,034,845 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\dla\tfsncofs.sys -- (tfsncofs [Auto | Running])
[2005/03/16 04:33:00 | 00,004,125 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\dla\tfsndrct.sys -- (tfsndrct [Auto | Running])
[2005/03/16 04:33:00 | 00,002,241 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\dla\tfsndres.sys -- (tfsndres [Auto | Running])
[2005/03/16 04:33:00 | 00,086,684 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\dla\tfsnifs.sys -- (tfsnifs [Auto | Running])
[2005/03/16 04:33:00 | 00,014,877 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\dla\tfsnopio.sys -- (tfsnopio [Auto | Running])
[2005/03/16 04:33:00 | 00,006,365 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\dla\tfsnpool.sys -- (tfsnpool [Auto | Running])
[2005/03/16 04:33:00 | 00,098,716 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\dla\tfsnudf.sys -- (tfsnudf [Auto | Running])
[2005/03/16 04:33:00 | 00,100,605 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\dla\tfsnudfa.sys -- (tfsnudfa [Auto | Running])
[2008/04/14 04:45:12 | 00,060,032 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio [On_Demand | Stopped])
[2005/12/04 23:55:30 | 01,428,096 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\system32\drivers\w39n51.sys -- (w39n51 [On_Demand | Running])
[2007/02/17 05:12:36 | 00,011,312 | ---- | M] (Wacom Technology) -- C:\WINDOWS\system32\drivers\wacommousefilter.sys -- (wacommousefilter [On_Demand | Running])
[2007/02/17 04:30:12 | 00,012,848 | ---- | M] (Wacom Technology) -- C:\WINDOWS\system32\drivers\wacomvhid.sys -- (wacomvhid [On_Demand | Running])
[2007/02/16 10:11:28 | 00,011,440 | ---- | M] (Wacom Technology) -- C:\WINDOWS\system32\drivers\WacomVKHid.sys -- (WacomVKHid [On_Demand | Running])
[2005/12/01 00:40:08 | 00,669,696 | ---- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\system32\drivers\HSX_CNXT.sys -- (winachsf [On_Demand | Running])
[2008/04/14 04:36:38 | 00,008,832 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\wmiacpi.sys -- (WmiAcpi [System | Running])
[2004/08/04 20:00:00 | 00,012,032 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\ws2ifsl.sys -- (WS2IFSL [System | Running])

========== (R ) Internet Explorer ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL"=http://go.microsoft.com/fwlink/?LinkId=69157
"Default_Search_URL"=http://go.microsoft.com/fwlink/?LinkId=54896
"Default_Secondary_Page_URL"=
"Extensions Off Page"=about:NoAdd-ons
"Local Page"=%SystemRoot%\system32\blank.htm
"Search Page"=http://go.microsoft.com/fwlink/?LinkId=54896
"Security Risk Page"=about:SecurityRisk
"Start Page"=http://go.microsoft.com/fwlink/?LinkId=69157

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
"CustomizeSearch"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
"Default_Search_URL"=http://www.google.com/ie
"SearchAssistant"=http://www.google.com/ie

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=C:\WINDOWS\system32\blank.htm
"Search Page"=http://www.google.com
"SearchMigratedDefaultName"=Google
"SearchMigratedDefaultURL"=http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
"Start Page"=http://www.google.com/

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Search]
"SearchAssistant"=http://www.google.com/ie

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL]
""=http://www.google.com/search?q=%s

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-21-1957994488-630328440-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=C:\WINDOWS\system32\blank.htm
"Search Page"=http://www.google.com
"SearchMigratedDefaultName"=Google
"SearchMigratedDefaultURL"=http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
"Start Page"=http://www.google.com/

[HKEY_USERS\S-1-5-21-1957994488-630328440-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Search]
"SearchAssistant"=http://www.google.com/ie

[HKEY_USERS\S-1-5-21-1957994488-630328440-839522115-1003\Software\Microsoft\Internet Explorer\SearchURL]
""=http://www.google.com/search?q=%s

[HKEY_USERS\S-1-5-21-1957994488-630328440-839522115-1003\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-1957994488-630328440-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

========== (O1) Hosts File ==========

HOSTS File = (306417 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
First 25 entries...
127.0.0.1 localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.100888290cs.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100sexlinks.com
127.0.0.1 100sexlinks.com
127.0.0.1 www.10sek.com
127.0.0.1 10sek.com
127.0.0.1 www.123topsearch.com
127.0.0.1 123topsearch.com
127.0.0.1 www.132.com
127.0.0.1 132.com
127.0.0.1 www.136136.net
127.0.0.1 136136.net
127.0.0.1 www.163ns.com
127.0.0.1 163ns.com
10551 more lines...

========== (O2) BHO's ==========

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\]
{D7BF4552-94F1-42BD-F434-3604812C856D} (HKLM) -- C:\WINDOWS\system32\jh9fgo4ksdgf.dll ()

========== (O3) Toolbars ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
"{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064}" (HKLM) -- c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" (HKLM) -- C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" (HKLM) -- C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" (HKLM) -- C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()

[HKEY_USERS\S-1-5-21-1957994488-630328440-839522115-1003\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" (HKLM) -- C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()

[HKEY_USERS\S-1-5-21-1957994488-630328440-839522115-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" (HKLM) -- C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()

========== (O4) Run Keys ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" (Adobe Systems Incorporated)
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" (Adobe Systems Incorporated)
"Dell QuickSet"=C:\Program Files\Dell\QuickSet\quickset.exe (Dell Inc)
"dla"=C:\WINDOWS\system32\dla\tfswctrl.exe (Sonic Solutions)
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless (Intel Corporation)
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" (Intel Corporation)
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup (Macrovision Corporation)
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start (Macrovision Corporation)
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" ()
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey (McAfee, Inc.)
"NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup (NVIDIA Corporation)
"NVHotkey"=rundll32.exe nvHotkey.dll,Start (NVIDIA Corporation)
"NvMediaCenter"=RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit (NVIDIA Corporation)
"nwiz"=nwiz.exe /installquiet ()
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime (Apple Computer, Inc.)
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" (Cyberlink Corp.)
"SigmatelSysTrayApp"=stsystra.exe (SigmaTel, Inc.)
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" (Sun Microsystems, Inc.)
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot (RealNetworks, Inc.)
"Ulead AutoDetector"=C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe (Ulead Systems, Inc.)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Diagnostic Manager"=C:\DOCUME~1\Adrian\LOCALS~1\Temp\1616398694.exe ()
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background (Microsoft Corporation)
"OM2_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" (OLYMPUS IMAGING CORP.)
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
""=C:\WINDOWS\TEMP\pu2zg.exe File not found
"Windows Resurections"=C:\WINDOWS\TEMP\pu2zg.exe File not found

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
""=C:\WINDOWS\TEMP\pu2zg.exe File not found
"Windows Resurections"=C:\WINDOWS\TEMP\pu2zg.exe File not found

[HKEY_USERS\S-1-5-21-1957994488-630328440-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Diagnostic Manager"=C:\DOCUME~1\Adrian\LOCALS~1\Temp\1616398694.exe ()
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background (Microsoft Corporation)
"OM2_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" (OLYMPUS IMAGING CORP.)
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)

========== (O4) Startup Folders ==========


========== (O6 & O7) Current Version Policies ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"HonorAutoRunSetting"=1
"NoCDBurning"=0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145
"NoFolderOptions"=1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"DisableRegistryTools"=1

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145
"NoFolderOptions"=0

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"DisableRegistryTools"=0

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145
"NoFolderOptions"=0

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"DisableRegistryTools"=0

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-21-1957994488-630328440-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145
"NoFolderOptions"=1

[HKEY_USERS\S-1-5-21-1957994488-630328440-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"DisableRegistryTools"=1

========== (O8) IE Context Menu Extensions ==========

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\]
E&xport to Microsoft Excel: C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE [2004/05/18 16:58:40 | 10,080,960 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-1957994488-630328440-839522115-1003\Software\Microsoft\Internet Explorer\MenuExt\]
E&xport to Microsoft Excel: C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE [2004/05/18 16:58:40 | 10,080,960 | ---- | M] (Microsoft Corporation)

========== (O9) IE Extensions ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}: Menu: Sun Java Console -- %ProgramFiles%\Java\jre1.5.0_10\bin\NPJPI150_10.dll [2006/11/09 14:21:53 | 00,075,528 | ---- | M] (Sun Microsystems, Inc.)
{92780B25-18CC-41C8-B9BE-3C9C571A8263}: Button: Research -- %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [2003/07/14 21:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}: Menu: Spybot - Search & Destroy Configuration -- %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [2009/01/26 14:31:02 | 01,879,896 | ---- | M] (Safer Networking Limited)
{e2e2dd38-d088-4134-82b7-f2ba38496583}: Menu: @xpsp3res.dll,-20001 -- %SystemRoot%\network diagnostic\xpnetdiag.exe [2008/04/14 04:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Button: Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2008/04/14 10:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Menu: Windows Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2008/04/14 10:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %ProgramFiles%\Java\jre1.5.0_10\bin\NPJPI150_10.dll [Sun Java Console] -> [2006/11/09 14:21:53 | 00,075,528 | ---- | M] (Sun Microsystems, Inc.)
CmdMapping\\{39FD89BF-D3F1-45b6-BB56-3582CCF489E1} [HKLM] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [Research] -> [2003/07/14 21:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
CmdMapping\\{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} [HKLM] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [Spybot - Search & Destroy Configuration] -> [2009/01/26 14:31:02 | 01,879,896 | ---- | M] (Safer Networking Limited)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2008/04/14 10:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2008/04/14 10:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2008/04/14 10:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-1957994488-630328440-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %ProgramFiles%\Java\jre1.5.0_10\bin\NPJPI150_10.dll [Sun Java Console] -> [2006/11/09 14:21:53 | 00,075,528 | ---- | M] (Sun Microsystems, Inc.)
CmdMapping\\{39FD89BF-D3F1-45b6-BB56-3582CCF489E1} [HKLM] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [Research] -> [2003/07/14 21:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
CmdMapping\\{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} [HKLM] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [Spybot - Search & Destroy Configuration] -> [2009/01/26 14:31:02 | 01,879,896 | ---- | M] (Safer Networking Limited)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2008/04/14 10:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)

========== (O12) Internet Explorer Plugins ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\]
PluginsPage: "" = http://activex.microsoft.com/controls/find...=%s&mime=%s
PluginsPageFriendlyName: "" = Microsoft ActiveX Gallery

========== (O13) Default Prefixes ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
""=http://

========== (O15) Trusted Sites ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
51 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
internet: about in Trusted sites
mcafee.com: http in Trusted sites
mcafee.com: https in Trusted sites
51 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
51 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
51 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
33 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
33 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_USERS\S-1-5-21-1957994488-630328440-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
internet: about in Trusted sites
mcafee.com: http in Trusted sites
mcafee.com: https in Trusted sites
51 domain(s) and sub-domain(s) not assigned to a zone.

========== (O16) DPF ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\]
{39B0684F-D7BF-4743-B050-FDC3F48F7E3B}: http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab -- Reg Error: Key does not exist or could not be opened.
{4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}: http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab -- Reg Error: Key does not exist or could not be opened.
{8AD9C840-044E-11D1-B3E9-00805F499D93}: http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab -- Java Plug-in 1.5.0_10
{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}: http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab -- Java Plug-in 1.5.0_06
{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}: http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab -- Java Plug-in 1.5.0_10
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}: http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab -- Java Plug-in 1.5.0_10
{D27CDB6E-AE6D-11CF-96B8-444553540000}: http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab -- Shockwave Flash Object

========== (O17) DNS Name Servers ==========

{19DCA668-BE27-4F07-BF17-47518A4A4D76} (Servers: | Description: Intel® PRO/Wireless 3945ABG Network Connection)
{6E2E535A-E47A-404F-A698-1A945BEFF5FF} (Servers: | Description: 1394 Net Adapter)
{DD7E0E9B-376B-499C-9B34-5E1A41815853} (Servers: | Description: Broadcom 440x 10/100 Integrated Controller)

========== (O22) Shared Task Scheduler ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{D7BF4552-94F1-42BD-F434-3604812C856D}" (HKLM) = sfdawtawgreage4tregrgae34 -- C:\WINDOWS\system32\jh9fgo4ksdgf.dll ()

========== Safeboot Options ==========

"AlternateShell"=cmd.exe

========== CDRom AutoRun Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun" = 1

========== Autorun Files on Drives ==========

AUTOEXEC.BAT []
[2007/02/07 13:03:11 | 00,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT -- [ NTFS ]


========== MountPoints2 ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2c6b9f02-063b-11de-9696-00188bad5254}\Shell\AutoRun\command]
""=wd_windows_tools\WDSetup.exe


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{64dc60ec-18ce-11de-96c9-00188bad5254}\Shell\AutoRun\command]
""=explorer .


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{64dc60ec-18ce-11de-96c9-00188bad5254}\Shell\mobile\command]
""=E:\MobileLaunch.exe -- File not found

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f6737213-c700-11db-91fc-00188bad5254}\Shell]
""=AutoRun

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f6737213-c700-11db-91fc-00188bad5254}\Shell\AutoRun]
""=Auto&Play


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f6737213-c700-11db-91fc-00188bad5254}\Shell\AutoRun\command]
""=E:\LaunchU3.exe -- File not found

========== Files/Folders - Created Within 30 Days ==========

[2009/04/20 10:16:39 | 00,122,368 | -HS- | C] () -- C:\Documents and Settings\Adrian\My Documents\Thumbs.db
@Alternate Data Stream - 0 bytes -> C:\Documents and Settings\Adrian\My Documents\Thumbs.db:encryptable
[2009/04/20 10:07:33 | 00,422,912 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Adrian\Desktop\OTViewIt.exe
[2009/04/20 09:58:21 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Adrian\Desktop\gmer
[2009/04/20 09:52:28 | 00,278,161 | ---- | C] () -- C:\Documents and Settings\Adrian\Desktop\gmer.zip
[2009/04/19 14:28:14 | 00,360,021 | ---- | C] () -- C:\Documents and Settings\Adrian\Desktop\dds(2).scr
[2009/04/19 14:27:10 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\Adrian\Desktop\dds.scr
[2009/04/19 14:27:07 | 00,252,537 | ---- | C] () -- C:\Documents and Settings\Adrian\Desktop\dds.scr.part
[2009/04/19 13:14:52 | 00,212,849 | ---- | C] () -- C:\Documents and Settings\Adrian\Desktop\hijackthis.zip
[2009/04/17 18:33:03 | 00,000,118 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2009/04/17 17:11:43 | 00,284,160 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\pdh.dll
[2009/04/17 17:11:41 | 00,401,408 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\rpcss.dll
[2009/04/17 17:11:40 | 00,110,592 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\services.exe
[2009/04/17 17:11:39 | 00,473,600 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fastprox.dll
[2009/04/17 17:11:37 | 00,227,840 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmiprvse.exe
[2009/04/17 17:11:36 | 00,453,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmiprvsd.dll
[2009/04/17 17:11:33 | 00,729,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\lsasrv.dll
[2009/04/17 17:11:32 | 00,617,472 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\advapi32.dll
[2009/04/17 17:11:30 | 00,714,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntdll.dll
[2009/04/17 17:10:19 | 00,002,560 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xpsp4res.dll
[2009/04/17 17:10:15 | 00,215,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wordpad.exe
[2009/04/16 23:53:50 | 00,018,432 | ---- | C] () -- C:\Documents and Settings\Adrian\My Documents\Book1_fit_dis_bleep.xls
[2009/04/16 06:53:39 | 00,000,046 | ---- | C] () -- C:\WINDOWS\System32\p2hhr.bat
[2009/04/16 06:50:38 | 00,015,000 | ---- | C] () -- C:\WINDOWS\System32\jh9fgo4ksdgf.dll
[2009/04/12 23:02:39 | 00,078,513 | ---- | C] () -- C:\Documents and Settings\Adrian\My Documents\iobw10.jpg
[2009/04/12 23:00:12 | 00,073,322 | ---- | C] () -- C:\Documents and Settings\Adrian\My Documents\iobw4.jpg
[2009/04/12 22:58:21 | 00,077,769 | ---- | C] () -- C:\Documents and Settings\Adrian\My Documents\iobw7.jpg
[2009/04/12 22:33:25 | 00,111,241 | ---- | C] () -- C:\Documents and Settings\Adrian\My Documents\iobw14.jpg
[2009/04/12 00:57:46 | 00,054,156 | -H-- | C] () -- C:\WINDOWS\QTFont.qfn
[2009/04/12 00:57:46 | 00,001,409 | ---- | C] () -- C:\WINDOWS\QTFont.for
[2009/04/10 23:44:39 | 00,024,072 | ---- | C] () -- C:\Documents and Settings\Adrian\My Documents\n1.rtf
[2009/04/10 23:44:30 | 00,005,784 | ---- | C] () -- C:\Documents and Settings\Adrian\My Documents\g2.rtf
[2009/04/09 20:17:41 | 00,021,504 | ---- | C] () -- C:\Documents and Settings\Adrian\My Documents\Book1b.xls
[2009/04/04 10:57:20 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Adrian\Desktop\AuctioneerSuite-5.3.4105
[2009/04/04 10:55:29 | 03,024,963 | ---- | C] () -- C:\Documents and Settings\Adrian\Desktop\AuctioneerSuite-5.3.4105.zip
[2009/04/03 20:42:20 | 00,022,016 | ---- | C] () -- C:\Documents and Settings\Adrian\My Documents\Book1r.xls
[2009/04/02 13:48:11 | 00,145,451 | ---- | C] () -- C:\Documents and Settings\Adrian\My Documents\3399097433_4302ba4ea4.jpg
[2009/04/01 23:12:28 | 01,199,889 | ---- | C] () -- C:\Documents and Settings\Adrian\My Documents\FoolsGroveDelve.pdf
[2009/03/31 18:28:04 | 00,460,838 | ---- | C] () -- C:\Documents and Settings\Adrian\My Documents\58.jpg
[2009/03/30 22:28:53 | 00,029,184 | ---- | C] () -- C:\Documents and Settings\Adrian\My Documents\Book1_o.xls
[2009/03/22 16:15:06 | 00,024,576 | ---- | C] () -- C:\Documents and Settings\Adrian\My Documents\This thesis pertains to the creation of a 9.doc
[2009/03/22 00:06:58 | 00,989,696 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kernel32.dll

========== Files - Modified Within 30 Days ==========

[4 C:\WINDOWS\System32\*.tmp files]
[6 C:\WINDOWS\*.tmp files]
[2009/04/20 10:28:16 | 00,147,968 | ---- | M] () -- C:\Documents and Settings\Adrian\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/04/20 10:16:52 | 00,122,368 | -HS- | M] () -- C:\Documents and Settings\Adrian\My Documents\Thumbs.db
@Alternate Data Stream - 0 bytes -> C:\Documents and Settings\Adrian\My Documents\Thumbs.db:encryptable
[2009/04/20 10:07:36 | 00,422,912 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Adrian\Desktop\OTViewIt.exe
[2009/04/20 10:07:16 | 00,023,857 | ---- | M] () -- C:\WINDOWS\System32\Config.MPF
[2009/04/20 09:57:48 | 00,231,547 | ---- | M] () -- C:\WINDOWS\System32\nvModes.001
[2009/04/20 09:54:42 | 00,526,212 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/04/20 09:54:42 | 00,444,656 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/04/20 09:54:42 | 00,072,496 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/04/20 09:52:29 | 00,278,161 | ---- | M] () -- C:\Documents and Settings\Adrian\Desktop\gmer.zip
[2009/04/20 09:50:53 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/04/20 09:50:30 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/04/20 09:50:26 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/04/19 14:28:15 | 00,360,021 | ---- | M] () -- C:\Documents and Settings\Adrian\Desktop\dds(2).scr
[2009/04/19 14:27:10 | 00,252,537 | ---- | M] () -- C:\Documents and Settings\Adrian\Desktop\dds.scr.part
[2009/04/19 14:27:10 | 00,000,000 | ---- | M] () -- C:\Documents and Settings\Adrian\Desktop\dds.scr
[2009/04/19 13:14:56 | 00,212,849 | ---- | M] () -- C:\Documents and Settings\Adrian\Desktop\hijackthis.zip
[2009/04/18 23:58:00 | 00,231,547 | ---- | M] () -- C:\WINDOWS\System32\nvModes.dat
[2009/04/18 23:11:07 | 00,306,417 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/04/17 18:34:02 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/04/17 18:33:03 | 00,000,118 | ---- | M] () -- C:\WINDOWS\System32\MRT.INI
[2009/04/17 14:26:45 | 00,018,432 | ---- | M] () -- C:\Documents and Settings\Adrian\My Documents\Book1_fit_dis_bleep.xls
[2009/04/16 23:52:05 | 00,000,046 | ---- | M] () -- C:\WINDOWS\System32\p2hhr.bat
[2009/04/16 14:58:40 | 00,029,184 | ---- | M] () -- C:\Documents and Settings\Adrian\My Documents\Book1_o.xls
[2009/04/16 14:58:37 | 00,021,504 | ---- | M] () -- C:\Documents and Settings\Adrian\My Documents\Book1b.xls
[2009/04/16 14:58:35 | 00,022,016 | ---- | M] () -- C:\Documents and Settings\Adrian\My Documents\Book1r.xls
[2009/04/16 14:57:40 | 00,017,408 | ---- | M] () -- C:\Documents and Settings\Adrian\My Documents\Book1h.xls
[2009/04/16 06:50:38 | 00,015,000 | ---- | M] () -- C:\WINDOWS\System32\jh9fgo4ksdgf.dll
[2009/04/12 23:02:40 | 00,078,513 | ---- | M] () -- C:\Documents and Settings\Adrian\My Documents\iobw10.jpg
[2009/04/12 23:00:12 | 00,073,322 | ---- | M] () -- C:\Documents and Settings\Adrian\My Documents\iobw4.jpg
[2009/04/12 22:58:22 | 00,077,769 | ---- | M] () -- C:\Documents and Settings\Adrian\My Documents\iobw7.jpg
[2009/04/12 22:33:33 | 00,111,241 | ---- | M] () -- C:\Documents and Settings\Adrian\My Documents\iobw14.jpg
[2009/04/12 01:00:28 | 00,313,476 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20090418-231107.backup
[2009/04/12 00:57:46 | 00,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2009/04/12 00:57:46 | 00,001,409 | ---- | M] () -- C:\WINDOWS\QTFont.for
[2009/04/10 23:44:39 | 00,024,072 | ---- | M] () -- C:\Documents and Settings\Adrian\My Documents\n1.rtf
[2009/04/10 23:44:30 | 00,005,784 | ---- | M] () -- C:\Documents and Settings\Adrian\My Documents\g2.rtf
[2009/04/07 00:57:24 | 24,921,544 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
[2009/04/04 10:55:40 | 03,024,963 | ---- | M] () -- C:\Documents and Settings\Adrian\Desktop\AuctioneerSuite-5.3.4105.zip
[2009/04/02 21:28:40 | 02,111,196 | ---- | M] () -- C:\Documents and Settings\Adrian\Local Settings\Application Data\IconCache.db
[2009/04/02 13:48:13 | 00,145,451 | ---- | M] () -- C:\Documents and Settings\Adrian\My Documents\3399097433_4302ba4ea4.jpg
[2009/04/01 23:12:28 | 01,199,889 | ---- | M] () -- C:\Documents and Settings\Adrian\My Documents\FoolsGroveDelve.pdf
[2009/03/31 18:28:05 | 00,460,838 | ---- | M] () -- C:\Documents and Settings\Adrian\My Documents\58.jpg
[2009/03/27 16:58:38 | 01,203,922 | ---- | M] () -- C:\WINDOWS\System32\dllcache\sysmain.sdb
[2009/03/25 11:06:30 | 00,040,552 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfesmfk.sys
[2009/03/25 11:06:28 | 00,214,024 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfehidk.sys
[2009/03/25 11:06:28 | 00,079,880 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfeavfk.sys
[2009/03/25 11:06:28 | 00,035,272 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfebopk.sys
[2009/03/25 11:05:54 | 00,034,216 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mferkdk.sys
[2009/03/22 17:58:46 | 00,024,576 | ---- | M] () -- C:\Documents and Settings\Adrian\My Documents\This thesis pertains to the creation of a 9.doc
[2009/03/22 00:06:58 | 00,989,696 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\kernel32.dll
[2009/03/22 00:06:58 | 00,989,696 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kernel32.dll
< End of report >

OTViewIt Extras logfile created on: 4/20/2009 10:30:45 AM - Run 3
OTViewIt by OldTimer - Version 1.0.21.0 Folder = C:\Documents and Settings\Adrian\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.20 Gb Available Physical Memory | 60.08% Memory free
3.85 Gb Paging File | 3.20 Gb Available in Paging File | 83.31% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 68.36 Gb Total Space | 15.55 Gb Free Space | 22.75% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: VALINDRA
Current User Name: Adrian
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled"=1
"AntiVirusDisableNotify"=1
"FirewallDisableNotify"=1
"UpdatesDisableNotify"=0
"AntiVirusOverride"=0
"FirewallOverride"=0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"EnableFirewall"=0
"DoNotAllowExceptions"=0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[2008/04/14 10:12:34 | 00,141,312 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
[2008/04/14 04:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
[2008/04/14 10:12:34 | 00,141,312 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
[2007/02/08 16:44:51 | 00,784,032 | ---- | M] (Blizzard Entertainment) -- C:\Program Files\World of Warcraft\WoW-2.0.3-enUS-downloader.exe:*:Enabled:Blizzard Downloader
[2007/02/08 16:55:19 | 00,771,473 | ---- | M] (Blizzard Entertainment) -- C:\Program Files\World of Warcraft\WoW-2.0.3.6299-to-2.0.6.6337-enUS-downloader.exe:*:Enabled:Blizzard Downloader
[2007/02/14 09:37:07 | 00,771,373 | ---- | M] (Blizzard Entertainment) -- C:\Program Files\World of Warcraft\WoW-2.0.6.6337-to-2.0.7.6383-enUS-downloader.exe:*:Enabled:Blizzard Downloader
[2007/02/16 06:58:28 | 00,771,353 | ---- | M] (Blizzard Entertainment) -- C:\Program Files\World of Warcraft\WoW-2.0.7.6383-to-2.0.8.6403-enUS-downloader.exe:*:Enabled:Blizzard Downloader
[2007/03/07 15:34:43 | 00,771,362 | ---- | M] (Blizzard Entertainment) -- C:\Program Files\World of Warcraft\WoW-2.0.8.6403-to-2.0.10.6448-enUS-downloader.exe:*:Enabled:Blizzard Downloader
[2007/04/04 13:32:22 | 00,771,411 | ---- | M] (Blizzard Entertainment) -- C:\Program Files\World of Warcraft\WoW-2.0.10.6448-to-2.0.12.6546-enUS-downloader.exe:*:Enabled:Blizzard Downloader
[2009/02/12 20:30:10 | 02,172,400 | ---- | M] (Blizzard Entertainment) -- C:\Program Files\World of Warcraft\BackgroundDownloader.exe:*:Enabled:Blizzard Downloader
File not found -- C:\Program Files\Monte Cristo\Silverfall\Silverfall.exe:*:Enabled:Silverfall
[2008/04/14 10:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger
File not found -- C:\Program Files\Codemasters\RF Online;\RF.exe:*:Enabled:RFLauncher
[2008/05/11 21:19:30 | 05,423,104 | ---- | M] (http://www.emule-project.net) -- C:\Program Files\eMule\emule.exe:*:Enabled:eMule
[2008/03/07 22:44:00 | 00,254,976 | ---- | M] (Azureus Inc) -- C:\Program Files\Azureus\Azureus.exe:*:Enabled:Azureus
[2008/04/14 04:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
File not found -- C:\Program Files\Atari\Neverwinter Nights 2\nwn2main.exe:*:Enabled:Neverwinter Nights 2 Main
File not found -- C:\Program Files\Atari\Neverwinter Nights 2\nwn2main_amdxp.exe:*:Enabled:Neverwinter Nights 2 AMD
File not found -- C:\Program Files\Atari\Neverwinter Nights 2\nwupdate.exe:*:Enabled:Neverwinter Nights 2 Updater
File not found -- C:\Program Files\Atari\Neverwinter Nights 2\nwn2server.exe:*:Enabled:Neverwinter Nights 2 Server
File not found -- C:\Documents and Settings\Adrian\Local Settings\Temp\Blizzard Launcher Temporary - 0b9cbc68\Launcher.exe:*:Enabled:Blizzard Launcher
[2009/01/09 10:31:16 | 02,482,848 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent

========== (O18) Protocol Handlers ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
ipp: [HKLM - No CLSID value]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2003/07/11 01:25:22 | 00,842,816 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL ipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAMON.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
msdaipp: [HKLM - No CLSID value]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2003/07/11 01:25:22 | 00,842,816 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL msdaipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAMON.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2003/07/11 01:25:22 | 00,842,816 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL msdaipp\oledb:{E1D2BF40-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAIPP.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2004/03/22 18:58:02 | 08,140,480 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (mso-offdap11:{32505114-5902-49B2-880A-1F7738E5A384} (HKLM) [Data Page Plugable Protocal mso-offdap11 Handler])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2009/02/13 11:44:56 | 00,150,032 | ---- | M] () c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (sacore:{5513F07E-936B-4E52-9B00-067394E91CC5} (HKLM) [McAfee SACore Protocol Handler])

========== (O18) Protocol Filters ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\] - Protocol Filters
[2003/07/14 21:45:12 | 00,039,488 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL text/xml:{807553E5-5146-11D5-A672-00B0D022E945} (HKLM) [Reg Error: Value does not exist or could not be read.]

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"_{E1A63F75-1F72-4450-980D-434496FFC646}"=Corel Painter Essentials 4
"{06BE8AFD-A8E2-4B63-BAE7-287016D16ACB}"=mSSO
"{075473F5-846A-448B-BCB3-104AA1760205}"=Sonic RecordNow Data
"{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}"=mLogView
"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}"=Sonic DLA
"{13F3917B56CD4C25848BDC69916971BB}"=DivX Converter
"{18D10072035C4515918F7E37EAFAACFC}"=AutoUpdate
"{1DDF840B-A50A-491E-BF44-6D6964C451A8}"=VGA USB Camera
"{21657574-BD54-48A2-9450-EB03B2C7FC29}"=Sonic MyDVD LE
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}"=Google Toolbar for Internet Explorer
"{23FB368F-1399-4EAC-817C-4B83ECBE3D83}"=mProSafe
"{2BA00471-0328-3743-93BD-FA813353A783}"=Microsoft .NET Framework 3.0 Service Pack 1
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}"=Sonic Update Manager
"{3248F0A8-6813-11D6-A77B-00B0D0150060}"=J2SE Runtime Environment 5.0 Update 6
"{3248F0A8-6813-11D6-A77B-00B0D0150100}"=J2SE Runtime Environment 5.0 Update 10
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}"=WebFldrs XP
"{3E9D596A-61D4-4239-BD19-2DB984D2A16F}"=mIWA
"{3FC7CBBC4C1E11DCA1A752EA55D89593}"=DivX Version Checker
"{49D687E5-6784-431B-A0A2-2F23B8CC5A1B}"=mHlpDell
"{4F1DA6BF-3614-48A1-9970-9E90F646789E}"=Ulead VideoStudio 8.0 SE DVD
"{63DB9CCD-2B56-4217-9A3D-507AC78320CA}"=mWMI
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}"=PowerDVD
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}"=MSXML 4.0 SP2 Parser and SDK
"{7299052b-02a4-4627-81f2-1818da5d550d}"=Microsoft Visual C++ 2005 Redistributable
"{767CC44C-9BBC-438D-BAD3-FD4595DD148B}"=VC80CRTRedist - 8.0.50727.762
"{789289CA-F73A-4A16-A331-54D498CE069F}"=Ventrilo Client
"{7B63B2922B174135AFC0E1377DD81EC2}"=DivX Codec
"{7F142D56-3326-11D5-B229-002078017FBF}"=Modem Helper
"{8ADFC4160D694100B5B8A22DE9DCABD9}"=DivX Player
"{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}"=mPfMgr
"{90B0D222-8C21-4B35-9262-53B042F18AF9}"=mPfWiz
"{91CA0409-6000-11D3-8CFE-0150048383C9}"=Microsoft Office Small Business Edition 2003
"{929CE49F-1CA7-4CF3-A9A1-6D757443C63F}"=Microsoft Games for Windows - LIVE Redistributable
"{94658027-9F16-4509-BBD7-A59FE57C3023}"=mZConfig
"{974C4B12-4D02-4879-85E0-61C95CC63E9E}"=Fallout 3
"{9C9D0F85-5658-4A5E-95A9-65F7DB2916EE}"=Broadcom 440x 10/100 Integrated Controller
"{9CC89556-3578-48DD-8408-04E66EBEF401}"=mXML
"{A0F925BF-5C55-44C2-A4E7-5A4C59791C29}"=mDriver
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}"=SigmaTel Audio
"{A654A805-41D9-40C7-AA46-4AF04F044D61}"=Adobe® Photoshop® Album Starter Edition 3.2
"{A96E97134CA649888820BCDE5E300BBD}"=H.264 Decoder
"{AAC389499AEF40428987B3D30CFC76C9}"=MKV Splitter
"{AB708C9B-97C8-4AC9-899B-DBF226AC9382}"=Sonic Audio module
"{AC76BA86-7AD7-1033-7B44-A81200000003}"=Adobe Reader 8.1.2
"{AEF9DC35ADDF4825B049ACBFD1C6EB37}"=AAC Decoder
"{B12665F4-4E93-4AB4-B7FC-37053B524629}"=Sonic RecordNow Copy
"{B13A7C41581B411290FBC0395694E2A9}"=DivX Converter
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1"=Spybot - Search & Destroy
"{B508B3F1-A24A-32C0-B310-85786919EF28}"=Microsoft .NET Framework 2.0 Service Pack 1
"{B7050CBDB2504B34BC2A9CA0A692CC29}"=DivX Web Player
"{BAF78226-3200-4DB4-BE33-4D922A799840}"=Windows Presentation Foundation
"{C5074CC4-0E26-4716-A307-960272A90040}"=QuickSet
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}"=Microsoft .NET Framework 1.1
"{CB49B376-1136-44B4-83FA-036334B59937}"=OLYMPUS Master 2
"{D271DAE0-8D68-4C97-8356-A126D48A1D8C}"=Ulead Photo Explorer 8.0 SE Basic
"{DDDE47E5-C711-4D17-9FA6-E3D7C340192A}"=OLYMPUS muvee theaterPack
"{E1A63F75-1F72-4450-980D-434496FFC646}"=Corel Painter Essentials 4
"{E81667C6-2856-46D6-ABEA-6A2F42166779}"=mCore
"{F07B861C-72B9-40A4-8B1A-AAED4C06A7E8}"=QuickTime
"{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}"=mMHouse
"{F54AC413-D2C6-4A24-B324-370C223C6250}"=Adobe Photoshop Elements 6.0
"{F6090A17-0967-4A8A-B3C3-422A1B514D49}"=mDrWiFi
"{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}"=mWlsSafe
"{FCD9CD52-7222-4672-94A0-A722BA702FD0}"=Dell Resource CD
"3635FC5A3FE7DACCEF2123BDBDA808BA811B977B"=Windows Driver Package - Ricoh Company Memorystick Host Controller (07/09/2005 1.00.01.12)
"452416B030C25BAA383F3DA368FECD5D48FAE727"=Windows Driver Package - Ricoh Company xD-Picture Card/SmartMedia Host Controller (07/14/2005 1.00.02.04)
"AD&D Core Rules 2.0 Expansion"=Advanced Dungeons & Dragons Core Rules 2.0 Expansion
"Adobe Flash Player ActiveX"=Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin"=Adobe Flash Player 10 Plugin
"Adobe Photoshop Elements 6"=Adobe Photoshop Elements 6.0
"Adobe® Photoshop® Album Starter Edition 3.2"=Adobe® Photoshop® Album Starter Edition 3.2
"AGEIA PhysX v2.4.4"=AGEIA PhysX v2.4.4
"Azureus Vuze"=Azureus Vuze
"Caligari trueSpace7.6_is1"=Uninstall trueSpace7.6
"Campaign Mapper"=Campaign Mapper
"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_14F100C3"=Conexant HDA D110 MDC V.92 Modem
"Combined Community Codec Pack_is1"=Combined Community Codec Pack 2008-09-21 16:18
"Diablo II"=Diablo II
"DivX Plus DirectShow Filters"=DivX Plus DirectShow Filters
"DVD Shrink_is1"=DVD Shrink 3.2
"eMule"=eMule
"Evil Genius_is1"=Evil Genius
"F631A62FA5E06534A0FE3637D75AAA5B1D3E4FB7"=Windows Driver Package - Ricoh Company MMC Host Controller (07/14/2005 1.00.00.06)
"ffvfw"=ffvfw (uninstall only)
"HijackThis"=HijackThis 1.99.1
"Homeworld2"=Homeworld2
"IDNMitigationAPIs"=Microsoft Internationalized Domain Names Mitigation APIs
"ie7"=Windows Internet Explorer 7
"InstallShield_{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}"=PowerDVD
"Manual video for trueSpace7.6_is1"=Manual video for trueSpace7.6
"Microsoft .NET Framework 1.1 (1033)"=Microsoft .NET Framework 1.1
"Mozilla Firefox (3.0.8)"=Mozilla Firefox (3.0.8)
"MSC"=McAfee SecurityCenter
"MSCompPackV1"=Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping"=Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers"=NVIDIA Drivers
"Pen Tablet Driver"=Pen Tablet
"ProInst"=Intel® PROSet/Wireless Software
"RealPlayer 6.0"=RealPlayer
"Sam and Max - Season One"=Sam and Max - Season One 1.0
"ST6UNST #1"=NSRCG
"SynTPDeinstKey"=Synaptics Pointing Device Driver
"Windows Media Format Runtime"=Windows Media Format 11 runtime
"Windows Media Player"=Windows Media Player 11
"Windows XP Service Pack"=Windows XP Service Pack 3
"WinRAR archiver"=WinRAR archiver
"WMFDist11"=Windows Media Format 11 runtime
"wmp11"=Windows Media Player 11
"World of Warcraft"=World of Warcraft
"Wudf01000"=Microsoft User-Mode Driver Framework Feature Pack 1.0
"XpsEPSC"=XML Paper Specification Shared Components Pack 1.0

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"I-Doser v4"=I-Doser v4

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1957994488-630328440-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"I-Doser v4"=I-Doser v4

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 12/21/2008 6:09:43 AM | Computer Name = VALINDRA | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 7.0.6000.16762, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 12/29/2008 9:59:55 AM | Computer Name = VALINDRA | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The server name or address could not be resolved

Error - 12/30/2008 7:13:26 AM | Computer Name = VALINDRA | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The server name or address could not be resolved

Error - 2/14/2009 7:47:17 AM | Computer Name = VALINDRA | Source = Application Hang | ID = 1002
Description = Hanging application rundll32.exe, version 5.1.2600.5512, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 2/14/2009 7:47:28 AM | Computer Name = VALINDRA | Source = Application Hang | ID = 1001
Description = Fault bucket 734562961.

Error - 2/26/2009 8:23:19 AM | Computer Name = VALINDRA | Source = McLogEvent | ID = 5051
Description = A thread in process C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe took
longer than 90000 ms to complete a request. The process will be terminated. Thread
id : 1288 (0x508) Thread address : 0x7C90E4F4 Thread message : Build VSCORE.14.0.0.405
/ 5300.2777 Object being scanned = \Device\CdRom0\setup.exe by D:\autorun\autorun_inst.exe

4(0)(0) 4(0)(0) 7200(0)(0) 7595(0)(0) 7005(0)(0) 7004(0)(0) 5006(0)(0) 5004(0)(0)


Error - 3/8/2009 7:44:10 AM | Computer Name = VALINDRA | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.0.3334, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 3/13/2009 9:11:13 AM | Computer Name = VALINDRA | Source = Application Error | ID = 1000
Description = Faulting application McNASvc.exe, version 3.3.104.0, faulting module
ntdll.dll, version 5.1.2600.5512, fault address 0x000118e9.

Error - 4/5/2009 10:58:41 PM | Computer Name = VALINDRA | Source = ESENT | ID = 485
Description = wuauclt (172) An attempt to delete the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb"
failed with system error 5 (0x00000005): "Access is denied. ". The delete file
operation will fail with error -1032 (0xfffffbf8).

Error - 4/5/2009 10:58:42 PM | Computer Name = VALINDRA | Source = ESENT | ID = 485
Description = wuauclt (172) An attempt to delete the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb"
failed with system error 5 (0x00000005): "Access is denied. ". The delete file
operation will fail with error -1032 (0xfffffbf8).

[ System Events ]
Error - 4/19/2009 2:54:00 AM | Computer Name = VALINDRA | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 4/19/2009 2:54:12 AM | Computer Name = VALINDRA | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service netman with
arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error - 4/19/2009 2:55:05 AM | Computer Name = VALINDRA | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service McNASvc with
arguments "" in order to run the server: {24F616A1-B755-4053-8018-C3425DC8B68A}

Error - 4/19/2009 2:55:14 AM | Computer Name = VALINDRA | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service McNASvc with
arguments "" in order to run the server: {24F616A1-B755-4053-8018-C3425DC8B68A}

Error - 4/19/2009 3:18:32 AM | Computer Name = VALINDRA | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service McShield with
arguments "" in order to run the server: {DC7EF8E1-824F-4110-AB43-1604DA9B4F40}

Error - 4/19/2009 3:18:32 AM | Computer Name = VALINDRA | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service McNASvc with
arguments "" in order to run the server: {24F616A1-B755-4053-8018-C3425DC8B68A}

Error - 4/19/2009 3:19:37 AM | Computer Name = VALINDRA | Source = Service Control Manager | ID = 7034
Description = The McAfee Scanner service terminated unexpectedly. It has done this
1 time(s).

Error - 4/19/2009 5:32:44 AM | Computer Name = VALINDRA | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service netman with
arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error - 4/19/2009 5:32:53 AM | Computer Name = VALINDRA | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 4/19/2009 7:11:45 AM | Computer Name = VALINDRA | Source = Service Control Manager | ID = 7034
Description = The McAfee Scanner service terminated unexpectedly. It has done this
1 time(s).


< End of report >

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:49 PM

Posted 20 April 2009 - 02:29 PM

Hi amelchio,

We need to disable Spybot S&D's "TeaTimer"
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
Please make sure you disable ALL of your Antivirus/Antispyware/Firewall prior to our fix.. Please visit HERE if you don't know how.. Please re-enable them after performing all steps given..

We need to backup your registry as we will be making changes there.
  • Please use the following link and scroll down to ERUNT and download it.
    http://aumha.org/freeware/freeware.php
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe

We need to execute an OTMoveIt3 script
  • Please download OTMoveIt3 by OldTimer and save it to your desktop.
  • Double click (or if your PC is running Vista, right-click and select Run As Adminstrator) the Posted Image icon on your desktop.
  • Paste the following code under the Posted Image area. Do not include the word "Code".
    :Files
C:\Documents and Settings\Adrian\Local Settings\Temp\1616398694.exe
C:\Documents and Settings\Adrian\Local Settings\Temp\1230050494.exe
C:\WINDOWS\system32\jh9fgo4ksdgf.dll
C:\WINDOWS\System32\p2hhr.bat
c:\windows\temp\pu2zg.exe
:Reg
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D7BF4552-94F1-42BD-F434-3604812C856D}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Diagnostic Manager"=-
[HKEY_USERS\S-1-5-21-1957994488-630328440-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Diagnostic Manager"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"DisableRegistryTools"=-
[HKEY_USERS\S-1-5-21-1957994488-630328440-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"DisableRegistryTools"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"sfdawtawgreage4tregrgae34"=-
:Commands
[EmptyTemp]
  • Push the large Posted Image button.
  • OTMI3 may ask to reboot the machine. Please do so if asked.
  • Copy/Paste the contents under the Posted Image line here in your next reply.
  • If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.
Please also run and post another OTViewIt log.

So that's:

The OTViewIt log
The OTMoveIt log
The MBAM log

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#7 amelchio

amelchio
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
    •  
  • Local time:01:49 AM

Posted 20 April 2009 - 11:38 PM

O.K. Here's hoping that I have done everything correctly.
Not sure if you wanted to see the extras.txt file from OTViewIt again, but have included it anyway

May I present to you..... the logs!

OTViewIt logfile created on: 4/21/2009 2:24:12 PM - Run 4
OTViewIt by OldTimer - Version 1.0.21.0 Folder = C:\Documents and Settings\Adrian\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.59 Gb Available Physical Memory | 79.79% Memory free
3.85 Gb Paging File | 3.58 Gb Available in Paging File | 93.10% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 68.36 Gb Total Space | 23.83 Gb Free Space | 34.86% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: VALINDRA
Current User Name: Adrian
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days

========== Processes ==========

[2005/12/28 10:45:02 | 00,114,753 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
[2005/12/28 10:47:10 | 00,540,745 | ---- | M] (Intel Corporation ) -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
[2005/12/28 11:04:56 | 00,262,217 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
[2007/09/10 23:45:04 | 00,124,832 | ---- | M] () -- C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
[2009/02/11 10:06:36 | 00,210,216 | ---- | M] () -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
[2009/01/08 19:30:26 | 00,797,864 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe
[2009/01/09 10:31:16 | 02,482,848 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
[2009/01/09 07:06:52 | 00,359,952 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
[2009/03/25 11:05:48 | 00,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe
[2006/08/03 17:50:46 | 00,380,928 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
[2007/12/11 13:06:00 | 00,155,716 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe
[2005/12/28 10:44:24 | 00,217,164 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
[2007/01/08 22:39:44 | 00,171,040 | ---- | M] () -- C:\Program Files\CyberLink\Shared Files\RichVideo.exe
[2005/01/14 08:32:00 | 00,053,248 | ---- | M] () -- C:\WINDOWS\system32\PAStiSvc.exe
[2007/09/08 04:16:18 | 01,373,480 | ---- | M] (Wacom Technology, Corp.) -- C:\WINDOWS\system32\Pen_Tablet.exe
[2004/03/13 03:04:16 | 00,049,152 | ---- | M] (Ulead Systems, Inc.) -- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
[2009/02/06 20:10:02 | 00,227,840 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\wmiprvse.exe
[2009/02/06 20:10:02 | 00,227,840 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\wmiprvse.exe
[2008/10/16 13:09:44 | 00,051,224 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wuauclt.exe
[2009/03/19 11:42:02 | 00,884,360 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MpfSrv.exe
[2009/04/20 10:07:36 | 00,422,912 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Adrian\Desktop\OTViewIt.exe

========== (O23) Win32 Services ==========

[2007/09/10 23:45:04 | 00,124,832 | ---- | M] () -- C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe -- (AdobeActiveFileMonitor6.0 [Auto | Running])
[2007/10/24 01:47:22 | 00,033,800 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
[2007/10/24 01:47:40 | 00,070,144 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
[2005/12/28 10:45:02 | 00,114,753 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe -- (EvtEng [Auto | Running])
[2009/03/01 17:43:01 | 00,654,848 | ---- | M] (Macrovision Europe Ltd.) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service [On_Demand | Stopped])
[2007/10/09 11:58:12 | 00,036,864 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
[2009/01/16 16:21:40 | 00,137,200 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc [On_Demand | Stopped])
[2007/10/11 08:55:10 | 00,864,256 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
[2009/02/11 10:06:36 | 00,210,216 | ---- | M] () -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service [Auto | Running])
[2009/01/08 19:30:26 | 00,797,864 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc [Auto | Running])
[2009/01/09 10:31:16 | 02,482,848 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe -- (McNASvc [Auto | Running])
[2009/04/01 14:21:30 | 00,365,072 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS [On_Demand | Stopped])
[2009/01/09 07:06:52 | 00,359,952 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy [Auto | Running])
[2009/03/25 11:05:48 | 00,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe -- (McShield [Unknown | Running])
[2009/03/24 00:03:18 | 00,606,736 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon [Disabled | Stopped])
[2009/03/19 11:42:02 | 00,884,360 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MpfSrv.exe -- (MpfService [On_Demand | Running])
[2007/10/11 08:55:14 | 00,122,880 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
[2006/08/03 17:50:46 | 00,380,928 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\QuickSet\NicConfigSvc.exe -- (NICCONFIGSVC [Auto | Running])
[2007/12/11 13:06:00 | 00,155,716 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc [Auto | Running])
[2003/07/28 11:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
[2005/12/28 10:44:24 | 00,217,164 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe -- (RegSrvc [Auto | Running])
[2007/01/08 22:39:44 | 00,171,040 | ---- | M] () -- C:\Program Files\CyberLink\Shared Files\RichVideo.exe -- (RichVideo [Auto | Running])
[2005/12/28 10:47:10 | 00,540,745 | ---- | M] (Intel Corporation ) -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe -- (S24EventMonitor [Auto | Running])
[2005/01/14 08:32:00 | 00,053,248 | ---- | M] () -- C:\WINDOWS\system32\PAStiSvc.exe -- (STI Simulator [Auto | Running])
[2007/09/08 04:16:18 | 01,373,480 | ---- | M] (Wacom Technology, Corp.) -- C:\WINDOWS\system32\Pen_Tablet.exe -- (TabletServicePen [Auto | Running])
[2004/03/13 03:04:16 | 00,049,152 | ---- | M] (Ulead Systems, Inc.) -- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe -- (UleadBurningHelper [Auto | Running])
[2005/12/28 11:04:56 | 00,262,217 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe -- (WLANKEEPER [Auto | Running])
[2006/10/18 20:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])

========== Driver Services ==========

[2007/02/07 13:35:45 | 00,021,275 | ---- | M] (Meetinghouse Data Communications) -- C:\WINDOWS\system32\drivers\AegisP.sys -- (AegisP [Auto | Running])
[2005/08/12 16:50:46 | 00,016,128 | ---- | M] (Dell Inc) -- C:\WINDOWS\system32\drivers\APPDRV.SYS -- (APPDRV [System | Running])
[1997/12/23 13:02:46 | 00,023,936 | ---- | M] (Adaptec) -- C:\WINDOWS\System32\drivers\aspi32.sys -- (Aspi32 [Auto | Running])
[2007/07/18 10:38:43 | 00,278,728 | ---- | M] () -- C:\WINDOWS\system32\drivers\atksgt.sys -- (atksgt [Auto | Running])
[2006/08/17 07:55:16 | 00,044,544 | R--- | M] (Broadcom Corporation) -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys -- (bcm4sbxp [On_Demand | Running])
[2004/12/14 07:14:00 | 00,039,904 | ---- | M] (Adaptec, Inc.) -- C:\WINDOWS\System32\drivers\cercsr6.sys -- (cercsr6 [Boot | Stopped])
[2005/02/02 02:22:00 | 00,088,080 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\drivers\drvmcdb.sys -- (drvmcdb [Boot | Running])
[2004/12/23 01:56:00 | 00,040,544 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\drivers\drvnddm.sys -- (drvnddm [Auto | Running])
[2008/04/14 02:36:05 | 00,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus [On_Demand | Running])
[2005/12/01 00:40:56 | 00,936,960 | ---- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\system32\drivers\HSX_DPV.sys -- (HSF_DPV [On_Demand | Running])
[2005/12/01 00:40:12 | 00,192,512 | ---- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\system32\drivers\HSXHWAZL.sys -- (HSXHWAZL [On_Demand | Running])
[2008/04/14 04:39:48 | 00,014,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\kbdhid.sys -- (kbdhid [System | Running])
[2007/07/18 10:38:43 | 00,025,416 | ---- | M] () -- C:\WINDOWS\system32\drivers\lirsgt.sys -- (lirsgt [Auto | Running])
[2005/10/04 22:57:08 | 00,012,544 | ---- | M] (Conexant) -- C:\WINDOWS\system32\drivers\mdmxsdk.sys -- (mdmxsdk [Auto | Running])
[2009/03/25 11:06:28 | 00,079,880 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk [On_Demand | Running])
[2009/03/25 11:06:28 | 00,035,272 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk [On_Demand | Running])
[2009/03/25 11:06:28 | 00,214,024 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk [System | Running])
[2009/03/25 11:05:54 | 00,034,216 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mferkdk.sys -- (mferkdk [On_Demand | Stopped])
[2009/03/25 11:06:30 | 00,040,552 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mfesmfk.sys -- (mfesmfk [On_Demand | Stopped])
[2008/10/23 12:08:54 | 00,120,136 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\Mpfp.sys -- (MPFP [System | Running])
[2007/12/11 13:06:00 | 07,438,624 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv [On_Demand | Running])
[2006/04/13 16:28:28 | 00,155,648 | ---- | M] (PixArt Imaging Inc.) -- C:\WINDOWS\system32\drivers\PA707UCM.SYS -- (PAC7311 [On_Demand | Stopped])
[2004/08/04 20:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink [On_Demand | Running])
[2009/03/01 17:37:49 | 00,043,528 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\drivers\pxhelp20.sys -- (PxHelp20 [Boot | Running])
[2005/07/14 17:58:14 | 00,028,544 | ---- | M] (REDC) -- C:\WINDOWS\system32\drivers\rimmptsk.sys -- (rimmptsk [On_Demand | Running])
[2005/07/12 18:00:30 | 00,051,328 | ---- | M] (REDC) -- C:\WINDOWS\system32\drivers\rimsptsk.sys -- (rimsptsk [On_Demand | Running])
[2005/07/14 16:28:38 | 00,307,968 | ---- | M] (REDC) -- C:\WINDOWS\system32\drivers\rixdptsk.sys -- (rismxdp [On_Demand | Running])
[2005/12/28 12:22:08 | 00,013,568 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans [Auto | Running])
[2008/04/14 04:36:44 | 00,079,232 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\sdbus.sys -- (sdbus [On_Demand | Running])
[2007/11/13 20:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv [Auto | Running])
[2004/12/02 10:04:20 | 00,005,627 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\drivers\sscdbhk5.sys -- (sscdbhk5 [System | Running])
[2004/12/02 10:04:10 | 00,023,545 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\drivers\ssrtln.sys -- (ssrtln [System | Running])
[2006/03/24 16:34:30 | 01,156,648 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA [On_Demand | Running])
[2006/03/08 11:35:10 | 00,191,872 | ---- | M] (Synaptics, Inc.) -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP [On_Demand | Running])
[2005/03/16 04:33:00 | 00,025,725 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\dla\tfsnboio.sys -- (tfsnboio [Auto | Running])
[2005/03/16 04:33:00 | 00,034,845 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\dla\tfsncofs.sys -- (tfsncofs [Auto | Running])
[2005/03/16 04:33:00 | 00,004,125 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\dla\tfsndrct.sys -- (tfsndrct [Auto | Running])
[2005/03/16 04:33:00 | 00,002,241 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\dla\tfsndres.sys -- (tfsndres [Auto | Running])
[2005/03/16 04:33:00 | 00,086,684 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\dla\tfsnifs.sys -- (tfsnifs [Auto | Running])
[2005/03/16 04:33:00 | 00,014,877 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\dla\tfsnopio.sys -- (tfsnopio [Auto | Running])
[2005/03/16 04:33:00 | 00,006,365 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\dla\tfsnpool.sys -- (tfsnpool [Auto | Running])
[2005/03/16 04:33:00 | 00,098,716 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\dla\tfsnudf.sys -- (tfsnudf [Auto | Running])
[2005/03/16 04:33:00 | 00,100,605 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\dla\tfsnudfa.sys -- (tfsnudfa [Auto | Running])
[2008/04/14 04:45:12 | 00,060,032 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio [On_Demand | Stopped])
[2005/12/04 23:55:30 | 01,428,096 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\system32\drivers\w39n51.sys -- (w39n51 [On_Demand | Running])
[2007/02/17 05:12:36 | 00,011,312 | ---- | M] (Wacom Technology) -- C:\WINDOWS\system32\drivers\wacommousefilter.sys -- (wacommousefilter [On_Demand | Running])
[2007/02/17 04:30:12 | 00,012,848 | ---- | M] (Wacom Technology) -- C:\WINDOWS\system32\drivers\wacomvhid.sys -- (wacomvhid [On_Demand | Running])
[2007/02/16 10:11:28 | 00,011,440 | ---- | M] (Wacom Technology) -- C:\WINDOWS\system32\drivers\WacomVKHid.sys -- (WacomVKHid [On_Demand | Running])
[2005/12/01 00:40:08 | 00,669,696 | ---- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\system32\drivers\HSX_CNXT.sys -- (winachsf [On_Demand | Running])
[2008/04/14 04:36:38 | 00,008,832 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\wmiacpi.sys -- (WmiAcpi [System | Running])
[2004/08/04 20:00:00 | 00,012,032 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\ws2ifsl.sys -- (WS2IFSL [System | Running])

========== (R ) Internet Explorer ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL"=http://go.microsoft.com/fwlink/?LinkId=69157
"Default_Search_URL"=http://go.microsoft.com/fwlink/?LinkId=54896
"Default_Secondary_Page_URL"=
"Extensions Off Page"=about:NoAdd-ons
"Local Page"=%SystemRoot%\system32\blank.htm
"Search Page"=http://go.microsoft.com/fwlink/?LinkId=54896
"Security Risk Page"=about:SecurityRisk
"Start Page"=http://go.microsoft.com/fwlink/?LinkId=69157

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
"CustomizeSearch"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
"Default_Search_URL"=http://www.google.com/ie
"SearchAssistant"=http://www.google.com/ie

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=C:\WINDOWS\system32\blank.htm
"Search Page"=http://www.google.com
"SearchMigratedDefaultName"=Google
"SearchMigratedDefaultURL"=http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
"Start Page"=http://www.google.com/

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Search]
"SearchAssistant"=http://www.google.com/ie

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL]
""=http://www.google.com/search?q=%s

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-21-1957994488-630328440-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=C:\WINDOWS\system32\blank.htm
"Search Page"=http://www.google.com
"SearchMigratedDefaultName"=Google
"SearchMigratedDefaultURL"=http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
"Start Page"=http://www.google.com/

[HKEY_USERS\S-1-5-21-1957994488-630328440-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Search]
"SearchAssistant"=http://www.google.com/ie

[HKEY_USERS\S-1-5-21-1957994488-630328440-839522115-1003\Software\Microsoft\Internet Explorer\SearchURL]
""=http://www.google.com/search?q=%s

[HKEY_USERS\S-1-5-21-1957994488-630328440-839522115-1003\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-1957994488-630328440-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

========== (O1) Hosts File ==========

HOSTS File = (306417 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
First 25 entries...
127.0.0.1 localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.100888290cs.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100sexlinks.com
127.0.0.1 100sexlinks.com
127.0.0.1 www.10sek.com
127.0.0.1 10sek.com
127.0.0.1 www.123topsearch.com
127.0.0.1 123topsearch.com
127.0.0.1 www.132.com
127.0.0.1 132.com
127.0.0.1 www.136136.net
127.0.0.1 136136.net
127.0.0.1 www.163ns.com
127.0.0.1 163ns.com
10551 more lines...

========== (O3) Toolbars ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
"{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064}" (HKLM) -- c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" (HKLM) -- C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" (HKLM) -- C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" (HKLM) -- C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()

[HKEY_USERS\S-1-5-21-1957994488-630328440-839522115-1003\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" (HKLM) -- C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()

[HKEY_USERS\S-1-5-21-1957994488-630328440-839522115-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" (HKLM) -- C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()

========== (O4) Run Keys ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup (NVIDIA Corporation)

========== (O4) Startup Folders ==========


========== (O6 & O7) Current Version Policies ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"HonorAutoRunSetting"=1
"NoCDBurning"=0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145
"NoFolderOptions"=0

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145
"NoFolderOptions"=0

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"DisableRegistryTools"=1

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145
"NoFolderOptions"=0

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"DisableRegistryTools"=1

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-21-1957994488-630328440-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145
"NoFolderOptions"=0

========== (O8) IE Context Menu Extensions ==========

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\]
E&xport to Microsoft Excel: C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE [2004/05/18 16:58:40 | 10,080,960 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-1957994488-630328440-839522115-1003\Software\Microsoft\Internet Explorer\MenuExt\]
E&xport to Microsoft Excel: C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE [2004/05/18 16:58:40 | 10,080,960 | ---- | M] (Microsoft Corporation)

========== (O9) IE Extensions ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}: Menu: Sun Java Console -- %ProgramFiles%\Java\jre1.5.0_10\bin\NPJPI150_10.dll [2006/11/09 14:21:53 | 00,075,528 | ---- | M] (Sun Microsystems, Inc.)
{92780B25-18CC-41C8-B9BE-3C9C571A8263}: Button: Research -- %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [2003/07/14 21:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}: Menu: Spybot - Search & Destroy Configuration -- %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [2009/01/26 14:31:02 | 01,879,896 | ---- | M] (Safer Networking Limited)
{e2e2dd38-d088-4134-82b7-f2ba38496583}: Menu: @xpsp3res.dll,-20001 -- %SystemRoot%\network diagnostic\xpnetdiag.exe [2008/04/14 04:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Button: Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2008/04/14 10:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Menu: Windows Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2008/04/14 10:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %ProgramFiles%\Java\jre1.5.0_10\bin\NPJPI150_10.dll [Sun Java Console] -> [2006/11/09 14:21:53 | 00,075,528 | ---- | M] (Sun Microsystems, Inc.)
CmdMapping\\{39FD89BF-D3F1-45b6-BB56-3582CCF489E1} [HKLM] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [Research] -> [2003/07/14 21:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
CmdMapping\\{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} [HKLM] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [Spybot - Search & Destroy Configuration] -> [2009/01/26 14:31:02 | 01,879,896 | ---- | M] (Safer Networking Limited)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2008/04/14 10:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2008/04/14 10:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2008/04/14 10:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-1957994488-630328440-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %ProgramFiles%\Java\jre1.5.0_10\bin\NPJPI150_10.dll [Sun Java Console] -> [2006/11/09 14:21:53 | 00,075,528 | ---- | M] (Sun Microsystems, Inc.)
CmdMapping\\{39FD89BF-D3F1-45b6-BB56-3582CCF489E1} [HKLM] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [Research] -> [2003/07/14 21:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
CmdMapping\\{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} [HKLM] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [Spybot - Search & Destroy Configuration] -> [2009/01/26 14:31:02 | 01,879,896 | ---- | M] (Safer Networking Limited)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2008/04/14 10:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)

========== (O12) Internet Explorer Plugins ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\]
PluginsPage: "" = http://activex.microsoft.com/controls/find...=%s&mime=%s
PluginsPageFriendlyName: "" = Microsoft ActiveX Gallery

========== (O13) Default Prefixes ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
""=http://

========== (O15) Trusted Sites ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
51 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
internet: about in Trusted sites
mcafee.com: http in Trusted sites
mcafee.com: https in Trusted sites
51 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
51 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
51 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
33 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
33 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_USERS\S-1-5-21-1957994488-630328440-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
internet: about in Trusted sites
mcafee.com: http in Trusted sites
mcafee.com: https in Trusted sites
51 domain(s) and sub-domain(s) not assigned to a zone.

========== (O16) DPF ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\]
{39B0684F-D7BF-4743-B050-FDC3F48F7E3B}: http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab -- Reg Error: Key does not exist or could not be opened.
{4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}: http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab -- Reg Error: Key does not exist or could not be opened.
{8AD9C840-044E-11D1-B3E9-00805F499D93}: http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab -- Java Plug-in 1.5.0_10
{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}: http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab -- Java Plug-in 1.5.0_06
{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}: http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab -- Java Plug-in 1.5.0_10
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}: http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab -- Java Plug-in 1.5.0_10
{D27CDB6E-AE6D-11CF-96B8-444553540000}: http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab -- Shockwave Flash Object

========== (O17) DNS Name Servers ==========

{19DCA668-BE27-4F07-BF17-47518A4A4D76} (Servers: | Description: Intel® PRO/Wireless 3945ABG Network Connection)
{6E2E535A-E47A-404F-A698-1A945BEFF5FF} (Servers: | Description: 1394 Net Adapter)
{DD7E0E9B-376B-499C-9B34-5E1A41815853} (Servers: | Description: Broadcom 440x 10/100 Integrated Controller)

========== Safeboot Options ==========

"AlternateShell"=cmd.exe

========== CDRom AutoRun Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun" = 1

========== Autorun Files on Drives ==========

AUTOEXEC.BAT []
[2007/02/07 13:03:11 | 00,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT -- [ NTFS ]


========== MountPoints2 ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2c6b9f02-063b-11de-9696-00188bad5254}\Shell\AutoRun\command]
""=wd_windows_tools\WDSetup.exe


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{64dc60ec-18ce-11de-96c9-00188bad5254}\Shell\AutoRun\command]
""=explorer .


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{64dc60ec-18ce-11de-96c9-00188bad5254}\Shell\mobile\command]
""=E:\MobileLaunch.exe -- File not found

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f6737213-c700-11db-91fc-00188bad5254}\Shell]
""=AutoRun

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f6737213-c700-11db-91fc-00188bad5254}\Shell\AutoRun]
""=Auto&Play


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f6737213-c700-11db-91fc-00188bad5254}\Shell\AutoRun\command]
""=E:\LaunchU3.exe -- File not found

========== Files/Folders - Created Within 30 Days ==========

[6 C:\WINDOWS\*.tmp files]
[2009/04/21 13:53:18 | 02,209,616 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Adrian\Desktop\mbam-rules.exe
[2009/04/21 13:48:39 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Adrian\Application Data\Malwarebytes
[2009/04/21 13:48:38 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/04/21 13:48:37 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/04/21 13:48:35 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/04/21 13:48:34 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/04/21 13:48:34 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/04/21 13:45:12 | 00,000,000 | ---D | C] -- C:\_OTMoveIt
[2009/04/21 13:44:25 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/04/21 13:43:46 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Adrian\Desktop\erunt
[2009/04/21 13:32:57 | 00,015,000 | ---- | C] () -- C:\WINDOWS\System32\sf87wuijndoio43j.dll
[2009/04/21 13:29:36 | 00,513,320 | ---- | C] () -- C:\Documents and Settings\Adrian\Desktop\erunt.zip
[2009/04/21 13:28:28 | 02,967,816 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Adrian\Desktop\mbam-setup.exe
[2009/04/21 13:28:17 | 00,389,632 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Adrian\Desktop\OTMoveIt3.exe
[2009/04/20 10:16:39 | 00,240,128 | -HS- | C] () -- C:\Documents and Settings\Adrian\My Documents\Thumbs.db
@Alternate Data Stream - 0 bytes -> C:\Documents and Settings\Adrian\My Documents\Thumbs.db:encryptable
[2009/04/20 10:07:33 | 00,422,912 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Adrian\Desktop\OTViewIt.exe
[2009/04/20 09:58:21 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Adrian\Desktop\gmer
[2009/04/20 09:52:28 | 00,278,161 | ---- | C] () -- C:\Documents and Settings\Adrian\Desktop\gmer.zip
[2009/04/19 14:28:14 | 00,360,021 | ---- | C] () -- C:\Documents and Settings\Adrian\Desktop\dds(2).scr
[2009/04/19 14:27:10 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\Adrian\Desktop\dds.scr
[2009/04/19 14:27:07 | 00,252,537 | ---- | C] () -- C:\Documents and Settings\Adrian\Desktop\dds.scr.part
[2009/04/19 13:14:52 | 00,212,849 | ---- | C] () -- C:\Documents and Settings\Adrian\Desktop\hijackthis.zip
[2009/04/17 18:33:03 | 00,000,118 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2009/04/17 17:11:43 | 00,284,160 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\pdh.dll
[2009/04/17 17:11:41 | 00,401,408 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\rpcss.dll
[2009/04/17 17:11:40 | 00,110,592 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\services.exe
[2009/04/17 17:11:39 | 00,473,600 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fastprox.dll
[2009/04/17 17:11:37 | 00,227,840 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmiprvse.exe
[2009/04/17 17:11:36 | 00,453,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmiprvsd.dll
[2009/04/17 17:11:33 | 00,729,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\lsasrv.dll
[2009/04/17 17:11:32 | 00,617,472 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\advapi32.dll
[2009/04/17 17:11:30 | 00,714,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntdll.dll
[2009/04/17 17:10:19 | 00,002,560 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xpsp4res.dll
[2009/04/17 17:10:15 | 00,215,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wordpad.exe
[2009/04/16 23:53:50 | 00,018,432 | ---- | C] () -- C:\Documents and Settings\Adrian\My Documents\Book1_fit_dis_bleep.xls
[2009/04/12 23:02:39 | 00,078,513 | ---- | C] () -- C:\Documents and Settings\Adrian\My Documents\iobw10.jpg
[2009/04/12 23:00:12 | 00,073,322 | ---- | C] () -- C:\Documents and Settings\Adrian\My Documents\iobw4.jpg
[2009/04/12 22:58:21 | 00,077,769 | ---- | C] () -- C:\Documents and Settings\Adrian\My Documents\iobw7.jpg
[2009/04/12 22:33:25 | 00,111,241 | ---- | C] () -- C:\Documents and Settings\Adrian\My Documents\iobw14.jpg
[2009/04/12 00:57:46 | 00,054,156 | -H-- | C] () -- C:\WINDOWS\QTFont.qfn
[2009/04/12 00:57:46 | 00,001,409 | ---- | C] () -- C:\WINDOWS\QTFont.for
[2009/04/10 23:44:39 | 00,024,072 | ---- | C] () -- C:\Documents and Settings\Adrian\My Documents\n1.rtf
[2009/04/10 23:44:30 | 00,005,784 | ---- | C] () -- C:\Documents and Settings\Adrian\My Documents\g2.rtf
[2009/04/09 20:17:41 | 00,021,504 | ---- | C] () -- C:\Documents and Settings\Adrian\My Documents\Book1b.xls
[2009/04/04 10:57:20 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Adrian\Desktop\AuctioneerSuite-5.3.4105
[2009/04/04 10:55:29 | 03,024,963 | ---- | C] () -- C:\Documents and Settings\Adrian\Desktop\AuctioneerSuite-5.3.4105.zip
[2009/04/03 20:42:20 | 00,022,016 | ---- | C] () -- C:\Documents and Settings\Adrian\My Documents\Book1r.xls
[2009/04/02 13:48:11 | 00,145,451 | ---- | C] () -- C:\Documents and Settings\Adrian\My Documents\3399097433_4302ba4ea4.jpg
[2009/04/01 23:12:28 | 01,199,889 | ---- | C] () -- C:\Documents and Settings\Adrian\My Documents\FoolsGroveDelve.pdf
[2009/03/31 18:28:04 | 00,460,838 | ---- | C] () -- C:\Documents and Settings\Adrian\My Documents\58.jpg
[2009/03/30 22:28:53 | 00,029,184 | ---- | C] () -- C:\Documents and Settings\Adrian\My Documents\Book1_o.xls
[2009/03/22 16:15:06 | 00,024,576 | ---- | C] () -- C:\Documents and Settings\Adrian\My Documents\This thesis pertains to the creation of a 9.doc

========== Files - Modified Within 30 Days ==========

[4 C:\WINDOWS\System32\*.tmp files]
[6 C:\WINDOWS\*.tmp files]
[2009/04/21 14:21:12 | 00,231,547 | ---- | M] () -- C:\WINDOWS\System32\nvModes.001
[2009/04/21 14:20:57 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/04/21 14:20:54 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/04/21 14:20:48 | 00,289,296 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/04/21 14:19:48 | 00,024,113 | ---- | M] () -- C:\WINDOWS\System32\Config.MPF
[2009/04/21 13:53:24 | 02,209,616 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Adrian\Desktop\mbam-rules.exe
[2009/04/21 13:51:04 | 00,526,212 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/04/21 13:51:04 | 00,444,656 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/04/21 13:51:04 | 00,072,496 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/04/21 13:48:38 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/04/21 13:39:18 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/04/21 13:32:57 | 00,015,000 | ---- | M] () -- C:\WINDOWS\System32\sf87wuijndoio43j.dll
[2009/04/21 13:29:37 | 00,513,320 | ---- | M] () -- C:\Documents and Settings\Adrian\Desktop\erunt.zip
[2009/04/21 13:28:38 | 02,967,816 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Adrian\Desktop\mbam-setup.exe
[2009/04/21 13:28:19 | 00,389,632 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Adrian\Desktop\OTMoveIt3.exe
[2009/04/20 21:06:46 | 00,147,968 | ---- | M] () -- C:\Documents and Settings\Adrian\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/04/20 20:49:37 | 00,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2009/04/20 17:57:09 | 00,240,128 | -HS- | M] () -- C:\Documents and Settings\Adrian\My Documents\Thumbs.db
@Alternate Data Stream - 0 bytes -> C:\Documents and Settings\Adrian\My Documents\Thumbs.db:encryptable
[2009/04/20 10:07:36 | 00,422,912 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Adrian\Desktop\OTViewIt.exe
[2009/04/20 09:52:29 | 00,278,161 | ---- | M] () -- C:\Documents and Settings\Adrian\Desktop\gmer.zip
[2009/04/19 14:28:15 | 00,360,021 | ---- | M] () -- C:\Documents and Settings\Adrian\Desktop\dds(2).scr
[2009/04/19 14:27:10 | 00,252,537 | ---- | M] () -- C:\Documents and Settings\Adrian\Desktop\dds.scr.part
[2009/04/19 14:27:10 | 00,000,000 | ---- | M] () -- C:\Documents and Settings\Adrian\Desktop\dds.scr
[2009/04/19 13:14:56 | 00,212,849 | ---- | M] () -- C:\Documents and Settings\Adrian\Desktop\hijackthis.zip
[2009/04/18 23:58:00 | 00,231,547 | ---- | M] () -- C:\WINDOWS\System32\nvModes.dat
[2009/04/18 23:11:07 | 00,306,417 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/04/17 18:34:02 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/04/17 18:33:03 | 00,000,118 | ---- | M] () -- C:\WINDOWS\System32\MRT.INI
[2009/04/17 14:26:45 | 00,018,432 | ---- | M] () -- C:\Documents and Settings\Adrian\My Documents\Book1_fit_dis_bleep.xls
[2009/04/16 14:58:40 | 00,029,184 | ---- | M] () -- C:\Documents and Settings\Adrian\My Documents\Book1_o.xls
[2009/04/16 14:58:37 | 00,021,504 | ---- | M] () -- C:\Documents and Settings\Adrian\My Documents\Book1b.xls
[2009/04/16 14:58:35 | 00,022,016 | ---- | M] () -- C:\Documents and Settings\Adrian\My Documents\Book1r.xls
[2009/04/16 14:57:40 | 00,017,408 | ---- | M] () -- C:\Documents and Settings\Adrian\My Documents\Book1h.xls
[2009/04/12 23:02:40 | 00,078,513 | ---- | M] () -- C:\Documents and Settings\Adrian\My Documents\iobw10.jpg
[2009/04/12 23:00:12 | 00,073,322 | ---- | M] () -- C:\Documents and Settings\Adrian\My Documents\iobw4.jpg
[2009/04/12 22:58:22 | 00,077,769 | ---- | M] () -- C:\Documents and Settings\Adrian\My Documents\iobw7.jpg
[2009/04/12 22:33:33 | 00,111,241 | ---- | M] () -- C:\Documents and Settings\Adrian\My Documents\iobw14.jpg
[2009/04/12 01:00:28 | 00,313,476 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20090418-231107.backup
[2009/04/12 00:57:46 | 00,001,409 | ---- | M] () -- C:\WINDOWS\QTFont.for
[2009/04/10 23:44:39 | 00,024,072 | ---- | M] () -- C:\Documents and Settings\Adrian\My Documents\n1.rtf
[2009/04/10 23:44:30 | 00,005,784 | ---- | M] () -- C:\Documents and Settings\Adrian\My Documents\g2.rtf
[2009/04/07 00:57:24 | 24,921,544 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
[2009/04/06 15:32:54 | 00,038,496 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/04/06 15:32:46 | 00,015,504 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/04/04 10:55:40 | 03,024,963 | ---- | M] () -- C:\Documents and Settings\Adrian\Desktop\AuctioneerSuite-5.3.4105.zip
[2009/04/02 21:28:40 | 02,111,196 | ---- | M] () -- C:\Documents and Settings\Adrian\Local Settings\Application Data\IconCache.db
[2009/04/02 13:48:13 | 00,145,451 | ---- | M] () -- C:\Documents and Settings\Adrian\My Documents\3399097433_4302ba4ea4.jpg
[2009/04/01 23:12:28 | 01,199,889 | ---- | M] () -- C:\Documents and Settings\Adrian\My Documents\FoolsGroveDelve.pdf
[2009/03/31 18:28:05 | 00,460,838 | ---- | M] () -- C:\Documents and Settings\Adrian\My Documents\58.jpg
[2009/03/27 16:58:38 | 01,203,922 | ---- | M] () -- C:\WINDOWS\System32\dllcache\sysmain.sdb
[2009/03/25 11:06:30 | 00,040,552 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfesmfk.sys
[2009/03/25 11:06:28 | 00,214,024 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfehidk.sys
[2009/03/25 11:06:28 | 00,079,880 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfeavfk.sys
[2009/03/25 11:06:28 | 00,035,272 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfebopk.sys
[2009/03/25 11:05:54 | 00,034,216 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mferkdk.sys
[2009/03/22 17:58:46 | 00,024,576 | ---- | M] () -- C:\Documents and Settings\Adrian\My Documents\This thesis pertains to the creation of a 9.doc
< End of report >

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

OTViewIt Extras logfile created on: 4/21/2009 2:24:12 PM - Run 4
OTViewIt by OldTimer - Version 1.0.21.0 Folder = C:\Documents and Settings\Adrian\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.59 Gb Available Physical Memory | 79.79% Memory free
3.85 Gb Paging File | 3.58 Gb Available in Paging File | 93.10% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 68.36 Gb Total Space | 23.83 Gb Free Space | 34.86% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: VALINDRA
Current User Name: Adrian
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled"=1
"UpdatesDisableNotify"=0
"AntiVirusOverride"=0
"FirewallOverride"=0
"AntiVirusDisableNotify"=0
"FirewallDisableNotify"=0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"EnableFirewall"=0
"DoNotAllowExceptions"=0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[2008/04/14 10:12:34 | 00,141,312 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
[2008/04/14 04:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
[2008/04/14 10:12:34 | 00,141,312 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
[2007/02/08 16:44:51 | 00,784,032 | ---- | M] (Blizzard Entertainment) -- C:\Program Files\World of Warcraft\WoW-2.0.3-enUS-downloader.exe:*:Enabled:Blizzard Downloader
[2007/02/08 16:55:19 | 00,771,473 | ---- | M] (Blizzard Entertainment) -- C:\Program Files\World of Warcraft\WoW-2.0.3.6299-to-2.0.6.6337-enUS-downloader.exe:*:Enabled:Blizzard Downloader
[2007/02/14 09:37:07 | 00,771,373 | ---- | M] (Blizzard Entertainment) -- C:\Program Files\World of Warcraft\WoW-2.0.6.6337-to-2.0.7.6383-enUS-downloader.exe:*:Enabled:Blizzard Downloader
[2007/02/16 06:58:28 | 00,771,353 | ---- | M] (Blizzard Entertainment) -- C:\Program Files\World of Warcraft\WoW-2.0.7.6383-to-2.0.8.6403-enUS-downloader.exe:*:Enabled:Blizzard Downloader
[2007/03/07 15:34:43 | 00,771,362 | ---- | M] (Blizzard Entertainment) -- C:\Program Files\World of Warcraft\WoW-2.0.8.6403-to-2.0.10.6448-enUS-downloader.exe:*:Enabled:Blizzard Downloader
[2007/04/04 13:32:22 | 00,771,411 | ---- | M] (Blizzard Entertainment) -- C:\Program Files\World of Warcraft\WoW-2.0.10.6448-to-2.0.12.6546-enUS-downloader.exe:*:Enabled:Blizzard Downloader
[2009/02/12 20:30:10 | 02,172,400 | ---- | M] (Blizzard Entertainment) -- C:\Program Files\World of Warcraft\BackgroundDownloader.exe:*:Enabled:Blizzard Downloader
File not found -- C:\Program Files\Monte Cristo\Silverfall\Silverfall.exe:*:Enabled:Silverfall
[2008/04/14 10:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger
File not found -- C:\Program Files\Codemasters\RF Online;\RF.exe:*:Enabled:RFLauncher
[2008/05/11 21:19:30 | 05,423,104 | ---- | M] (http://www.emule-project.net) -- C:\Program Files\eMule\emule.exe:*:Enabled:eMule
[2008/03/07 22:44:00 | 00,254,976 | ---- | M] (Azureus Inc) -- C:\Program Files\Azureus\Azureus.exe:*:Enabled:Azureus
[2008/04/14 04:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
File not found -- C:\Program Files\Atari\Neverwinter Nights 2\nwn2main.exe:*:Enabled:Neverwinter Nights 2 Main
File not found -- C:\Program Files\Atari\Neverwinter Nights 2\nwn2main_amdxp.exe:*:Enabled:Neverwinter Nights 2 AMD
File not found -- C:\Program Files\Atari\Neverwinter Nights 2\nwupdate.exe:*:Enabled:Neverwinter Nights 2 Updater
File not found -- C:\Program Files\Atari\Neverwinter Nights 2\nwn2server.exe:*:Enabled:Neverwinter Nights 2 Server
File not found -- C:\Documents and Settings\Adrian\Local Settings\Temp\Blizzard Launcher Temporary - 0b9cbc68\Launcher.exe:*:Enabled:Blizzard Launcher
[2009/01/09 10:31:16 | 02,482,848 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent

========== (O18) Protocol Handlers ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
ipp: [HKLM - No CLSID value]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2003/07/11 01:25:22 | 00,842,816 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL ipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAMON.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
msdaipp: [HKLM - No CLSID value]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2003/07/11 01:25:22 | 00,842,816 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL msdaipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAMON.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2003/07/11 01:25:22 | 00,842,816 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL msdaipp\oledb:{E1D2BF40-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAIPP.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2004/03/22 18:58:02 | 08,140,480 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (mso-offdap11:{32505114-5902-49B2-880A-1F7738E5A384} (HKLM) [Data Page Plugable Protocal mso-offdap11 Handler])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2009/02/13 11:44:56 | 00,150,032 | ---- | M] () c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (sacore:{5513F07E-936B-4E52-9B00-067394E91CC5} (HKLM) [McAfee SACore Protocol Handler])

========== (O18) Protocol Filters ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\] - Protocol Filters
[2003/07/14 21:45:12 | 00,039,488 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL text/xml:{807553E5-5146-11D5-A672-00B0D022E945} (HKLM) [Reg Error: Value does not exist or could not be read.]

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"_{E1A63F75-1F72-4450-980D-434496FFC646}"=Corel Painter Essentials 4
"{06BE8AFD-A8E2-4B63-BAE7-287016D16ACB}"=mSSO
"{075473F5-846A-448B-BCB3-104AA1760205}"=Sonic RecordNow Data
"{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}"=mLogView
"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}"=Sonic DLA
"{13F3917B56CD4C25848BDC69916971BB}"=DivX Converter
"{18D10072035C4515918F7E37EAFAACFC}"=AutoUpdate
"{1DDF840B-A50A-491E-BF44-6D6964C451A8}"=VGA USB Camera
"{21657574-BD54-48A2-9450-EB03B2C7FC29}"=Sonic MyDVD LE
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}"=Google Toolbar for Internet Explorer
"{23FB368F-1399-4EAC-817C-4B83ECBE3D83}"=mProSafe
"{2BA00471-0328-3743-93BD-FA813353A783}"=Microsoft .NET Framework 3.0 Service Pack 1
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}"=Sonic Update Manager
"{3248F0A8-6813-11D6-A77B-00B0D0150060}"=J2SE Runtime Environment 5.0 Update 6
"{3248F0A8-6813-11D6-A77B-00B0D0150100}"=J2SE Runtime Environment 5.0 Update 10
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}"=WebFldrs XP
"{3E9D596A-61D4-4239-BD19-2DB984D2A16F}"=mIWA
"{3FC7CBBC4C1E11DCA1A752EA55D89593}"=DivX Version Checker
"{49D687E5-6784-431B-A0A2-2F23B8CC5A1B}"=mHlpDell
"{4F1DA6BF-3614-48A1-9970-9E90F646789E}"=Ulead VideoStudio 8.0 SE DVD
"{63DB9CCD-2B56-4217-9A3D-507AC78320CA}"=mWMI
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}"=PowerDVD
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}"=MSXML 4.0 SP2 Parser and SDK
"{7299052b-02a4-4627-81f2-1818da5d550d}"=Microsoft Visual C++ 2005 Redistributable
"{767CC44C-9BBC-438D-BAD3-FD4595DD148B}"=VC80CRTRedist - 8.0.50727.762
"{789289CA-F73A-4A16-A331-54D498CE069F}"=Ventrilo Client
"{7B63B2922B174135AFC0E1377DD81EC2}"=DivX Codec
"{7F142D56-3326-11D5-B229-002078017FBF}"=Modem Helper
"{8ADFC4160D694100B5B8A22DE9DCABD9}"=DivX Player
"{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}"=mPfMgr
"{90B0D222-8C21-4B35-9262-53B042F18AF9}"=mPfWiz
"{91CA0409-6000-11D3-8CFE-0150048383C9}"=Microsoft Office Small Business Edition 2003
"{929CE49F-1CA7-4CF3-A9A1-6D757443C63F}"=Microsoft Games for Windows - LIVE Redistributable
"{94658027-9F16-4509-BBD7-A59FE57C3023}"=mZConfig
"{974C4B12-4D02-4879-85E0-61C95CC63E9E}"=Fallout 3
"{9C9D0F85-5658-4A5E-95A9-65F7DB2916EE}"=Broadcom 440x 10/100 Integrated Controller
"{9CC89556-3578-48DD-8408-04E66EBEF401}"=mXML
"{A0F925BF-5C55-44C2-A4E7-5A4C59791C29}"=mDriver
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}"=SigmaTel Audio
"{A654A805-41D9-40C7-AA46-4AF04F044D61}"=Adobe® Photoshop® Album Starter Edition 3.2
"{A96E97134CA649888820BCDE5E300BBD}"=H.264 Decoder
"{AAC389499AEF40428987B3D30CFC76C9}"=MKV Splitter
"{AB708C9B-97C8-4AC9-899B-DBF226AC9382}"=Sonic Audio module
"{AC76BA86-7AD7-1033-7B44-A81200000003}"=Adobe Reader 8.1.2
"{AEF9DC35ADDF4825B049ACBFD1C6EB37}"=AAC Decoder
"{B12665F4-4E93-4AB4-B7FC-37053B524629}"=Sonic RecordNow Copy
"{B13A7C41581B411290FBC0395694E2A9}"=DivX Converter
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1"=Spybot - Search & Destroy
"{B508B3F1-A24A-32C0-B310-85786919EF28}"=Microsoft .NET Framework 2.0 Service Pack 1
"{B7050CBDB2504B34BC2A9CA0A692CC29}"=DivX Web Player
"{BAF78226-3200-4DB4-BE33-4D922A799840}"=Windows Presentation Foundation
"{C5074CC4-0E26-4716-A307-960272A90040}"=QuickSet
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}"=Microsoft .NET Framework 1.1
"{CB49B376-1136-44B4-83FA-036334B59937}"=OLYMPUS Master 2
"{D271DAE0-8D68-4C97-8356-A126D48A1D8C}"=Ulead Photo Explorer 8.0 SE Basic
"{DDDE47E5-C711-4D17-9FA6-E3D7C340192A}"=OLYMPUS muvee theaterPack
"{E1A63F75-1F72-4450-980D-434496FFC646}"=Corel Painter Essentials 4
"{E81667C6-2856-46D6-ABEA-6A2F42166779}"=mCore
"{F07B861C-72B9-40A4-8B1A-AAED4C06A7E8}"=QuickTime
"{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}"=mMHouse
"{F54AC413-D2C6-4A24-B324-370C223C6250}"=Adobe Photoshop Elements 6.0
"{F6090A17-0967-4A8A-B3C3-422A1B514D49}"=mDrWiFi
"{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}"=mWlsSafe
"{FCD9CD52-7222-4672-94A0-A722BA702FD0}"=Dell Resource CD
"3635FC5A3FE7DACCEF2123BDBDA808BA811B977B"=Windows Driver Package - Ricoh Company Memorystick Host Controller (07/09/2005 1.00.01.12)
"452416B030C25BAA383F3DA368FECD5D48FAE727"=Windows Driver Package - Ricoh Company xD-Picture Card/SmartMedia Host Controller (07/14/2005 1.00.02.04)
"AD&D Core Rules 2.0 Expansion"=Advanced Dungeons & Dragons Core Rules 2.0 Expansion
"Adobe Flash Player ActiveX"=Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin"=Adobe Flash Player 10 Plugin
"Adobe Photoshop Elements 6"=Adobe Photoshop Elements 6.0
"Adobe® Photoshop® Album Starter Edition 3.2"=Adobe® Photoshop® Album Starter Edition 3.2
"AGEIA PhysX v2.4.4"=AGEIA PhysX v2.4.4
"Azureus Vuze"=Azureus Vuze
"Caligari trueSpace7.6_is1"=Uninstall trueSpace7.6
"Campaign Mapper"=Campaign Mapper
"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_14F100C3"=Conexant HDA D110 MDC V.92 Modem
"Combined Community Codec Pack_is1"=Combined Community Codec Pack 2008-09-21 16:18
"Diablo II"=Diablo II
"DivX Plus DirectShow Filters"=DivX Plus DirectShow Filters
"DVD Shrink_is1"=DVD Shrink 3.2
"eMule"=eMule
"Evil Genius_is1"=Evil Genius
"F631A62FA5E06534A0FE3637D75AAA5B1D3E4FB7"=Windows Driver Package - Ricoh Company MMC Host Controller (07/14/2005 1.00.00.06)
"ffvfw"=ffvfw (uninstall only)
"HijackThis"=HijackThis 1.99.1
"Homeworld2"=Homeworld2
"IDNMitigationAPIs"=Microsoft Internationalized Domain Names Mitigation APIs
"ie7"=Windows Internet Explorer 7
"InstallShield_{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}"=PowerDVD
"Malwarebytes' Anti-Malware_is1"=Malwarebytes' Anti-Malware
"Manual video for trueSpace7.6_is1"=Manual video for trueSpace7.6
"Microsoft .NET Framework 1.1 (1033)"=Microsoft .NET Framework 1.1
"Mozilla Firefox (3.0.8)"=Mozilla Firefox (3.0.8)
"MSC"=McAfee SecurityCenter
"MSCompPackV1"=Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping"=Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers"=NVIDIA Drivers
"Pen Tablet Driver"=Pen Tablet
"ProInst"=Intel® PROSet/Wireless Software
"RealPlayer 6.0"=RealPlayer
"Sam and Max - Season One"=Sam and Max - Season One 1.0
"ST6UNST #1"=NSRCG
"SynTPDeinstKey"=Synaptics Pointing Device Driver
"Windows Media Format Runtime"=Windows Media Format 11 runtime
"Windows Media Player"=Windows Media Player 11
"Windows XP Service Pack"=Windows XP Service Pack 3
"WinRAR archiver"=WinRAR archiver
"WMFDist11"=Windows Media Format 11 runtime
"wmp11"=Windows Media Player 11
"World of Warcraft"=World of Warcraft
"Wudf01000"=Microsoft User-Mode Driver Framework Feature Pack 1.0
"XpsEPSC"=XML Paper Specification Shared Components Pack 1.0

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"I-Doser v4"=I-Doser v4

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1957994488-630328440-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"I-Doser v4"=I-Doser v4

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 12/21/2008 6:09:43 AM | Computer Name = VALINDRA | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 7.0.6000.16762, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 12/29/2008 9:59:55 AM | Computer Name = VALINDRA | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The server name or address could not be resolved

Error - 12/30/2008 7:13:26 AM | Computer Name = VALINDRA | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The server name or address could not be resolved

Error - 2/14/2009 7:47:17 AM | Computer Name = VALINDRA | Source = Application Hang | ID = 1002
Description = Hanging application rundll32.exe, version 5.1.2600.5512, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 2/14/2009 7:47:28 AM | Computer Name = VALINDRA | Source = Application Hang | ID = 1001
Description = Fault bucket 734562961.

Error - 2/26/2009 8:23:19 AM | Computer Name = VALINDRA | Source = McLogEvent | ID = 5051
Description = A thread in process C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe took
longer than 90000 ms to complete a request. The process will be terminated. Thread
id : 1288 (0x508) Thread address : 0x7C90E4F4 Thread message : Build VSCORE.14.0.0.405
/ 5300.2777 Object being scanned = \Device\CdRom0\setup.exe by D:\autorun\autorun_inst.exe

4(0)(0) 4(0)(0) 7200(0)(0) 7595(0)(0) 7005(0)(0) 7004(0)(0) 5006(0)(0) 5004(0)(0)


Error - 3/8/2009 7:44:10 AM | Computer Name = VALINDRA | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.0.3334, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 3/13/2009 9:11:13 AM | Computer Name = VALINDRA | Source = Application Error | ID = 1000
Description = Faulting application McNASvc.exe, version 3.3.104.0, faulting module
ntdll.dll, version 5.1.2600.5512, fault address 0x000118e9.

Error - 4/5/2009 10:58:41 PM | Computer Name = VALINDRA | Source = ESENT | ID = 485
Description = wuauclt (172) An attempt to delete the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb"
failed with system error 5 (0x00000005): "Access is denied. ". The delete file
operation will fail with error -1032 (0xfffffbf8).

Error - 4/5/2009 10:58:42 PM | Computer Name = VALINDRA | Source = ESENT | ID = 485
Description = wuauclt (172) An attempt to delete the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb"
failed with system error 5 (0x00000005): "Access is denied. ". The delete file
operation will fail with error -1032 (0xfffffbf8).

[ System Events ]
Error - 4/19/2009 2:54:00 AM | Computer Name = VALINDRA | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 4/19/2009 2:54:12 AM | Computer Name = VALINDRA | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service netman with
arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error - 4/19/2009 2:55:05 AM | Computer Name = VALINDRA | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service McNASvc with
arguments "" in order to run the server: {24F616A1-B755-4053-8018-C3425DC8B68A}

Error - 4/19/2009 2:55:14 AM | Computer Name = VALINDRA | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service McNASvc with
arguments "" in order to run the server: {24F616A1-B755-4053-8018-C3425DC8B68A}

Error - 4/19/2009 3:18:32 AM | Computer Name = VALINDRA | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service McShield with
arguments "" in order to run the server: {DC7EF8E1-824F-4110-AB43-1604DA9B4F40}

Error - 4/19/2009 3:18:32 AM | Computer Name = VALINDRA | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service McNASvc with
arguments "" in order to run the server: {24F616A1-B755-4053-8018-C3425DC8B68A}

Error - 4/19/2009 3:19:37 AM | Computer Name = VALINDRA | Source = Service Control Manager | ID = 7034
Description = The McAfee Scanner service terminated unexpectedly. It has done this
1 time(s).

Error - 4/19/2009 5:32:44 AM | Computer Name = VALINDRA | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service netman with
arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error - 4/19/2009 5:32:53 AM | Computer Name = VALINDRA | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 4/19/2009 7:11:45 AM | Computer Name = VALINDRA | Source = Service Control Manager | ID = 7034
Description = The McAfee Scanner service terminated unexpectedly. It has done this
1 time(s).


< End of report >

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

========== FILES ==========
C:\Documents and Settings\Adrian\Local Settings\Temp\1616398694.exe moved successfully.
File/Folder C:\Documents and Settings\Adrian\Local Settings\Temp\1230050494.exe not found.
C:\WINDOWS\system32\jh9fgo4ksdgf.dll NOT unregistered.
C:\WINDOWS\system32\jh9fgo4ksdgf.dll moved successfully.
C:\WINDOWS\System32\p2hhr.bat moved successfully.
File/Folder c:\windows\temp\pu2zg.exe not found.
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D7BF4552-94F1-42BD-F434-3604812C856D}\\ deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Diagnostic Manager not found.
Registry value HKEY_USERS\S-1-5-21-1957994488-630328440-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Diagnostic Manager not found.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableRegistryTools deleted successfully.
Registry value HKEY_USERS\S-1-5-21-1957994488-630328440-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableRegistryTools not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\\sfdawtawgreage4tregrgae34 not found.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\Adrian\LOCALS~1\Temp\571544160.exe scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Adrian\LOCALS~1\Temp\om2D.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Adrian\LOCALS~1\Temp\om2E.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\Adrian\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\mcafee_nPpnZFPOHshVLWV scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mcmsc_dFQgmkdhQnbvfrC scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mcmsc_PgjrstSANtMhLBg scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mcmsc_reAs0GrBBWg3jjS scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\sqlite_6bIJUKv9McL3o7W scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\sqlite_qgJaumad0J94GPH scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\sqlite_sjMGZKeH5t7J6H0 scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 04212009_134512

Files moved on Reboot...
C:\DOCUME~1\Adrian\LOCALS~1\Temp\571544160.exe moved successfully.
File C:\DOCUME~1\Adrian\LOCALS~1\Temp\om2D.tmp not found!
File C:\DOCUME~1\Adrian\LOCALS~1\Temp\om2E.tmp not found!
File C:\WINDOWS\temp\mcafee_nPpnZFPOHshVLWV not found!
File C:\WINDOWS\temp\mcmsc_dFQgmkdhQnbvfrC not found!
File C:\WINDOWS\temp\mcmsc_PgjrstSANtMhLBg not found!
File C:\WINDOWS\temp\mcmsc_reAs0GrBBWg3jjS not found!
C:\WINDOWS\temp\sqlite_6bIJUKv9McL3o7W moved successfully.
C:\WINDOWS\temp\sqlite_qgJaumad0J94GPH moved successfully.
C:\WINDOWS\temp\sqlite_sjMGZKeH5t7J6H0 moved successfully.

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

Malwarebytes' Anti-Malware 1.36
Database version: 2015
Windows 5.1.2600 Service Pack 3

4/21/2009 2:18:51 PM
mbam-log-2009-04-21 (14-18-51).txt

Scan type: Full Scan (C:\|)
Objects scanned: 163943
Time elapsed: 22 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 3
Folders Infected: 1
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{d7bf4552-94f1-42bd-f434-3604812c856d} (Trojan.Ertfor) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d7bf4552-94f1-42bd-f434-3604812c856d} (Trojan.Ertfor) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{d7bf4552-94f1-42bd-f434-3604812c856d} (Trojan.Ertfor) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\save (Adware.WhenUSave) -> Quarantined and deleted successfully.

Files Infected:
C:\_OTMoveIt\MovedFiles\04212009_134512\WINDOWS\system32\jh9fgo4ksdgf.dll (Trojan.Ertfor) -> Quarantined and deleted successfully.
C:\Program Files\save\Valindra.d2s (Adware.WhenUSave) -> Quarantined and deleted successfully.
C:\Program Files\save\Valindra.key (Adware.WhenUSave) -> Quarantined and deleted successfully.
C:\Program Files\save\Valindra.ma0 (Adware.WhenUSave) -> Quarantined and deleted successfully.
C:\Program Files\save\Valindra.ma1 (Adware.WhenUSave) -> Quarantined and deleted successfully.
C:\Program Files\save\Valindra.ma2 (Adware.WhenUSave) -> Quarantined and deleted successfully.
C:\Program Files\save\Valindra.map (Adware.WhenUSave) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ak1.exe (Virus.Virut) -> Quarantined and deleted successfully.

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

I have no idea what stage we're up to, but thanks for the help so far. :thumbup2:

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:49 PM

Posted 21 April 2009 - 06:32 AM

We're doing fine amelchio. :thumbup2:

Could you please run OTViewIt again.

I need to see those two logs after the work that Combofix and MBAM have done.
Posted Image
m0le is a proud member of UNITE

#9 amelchio

amelchio
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
    •  
  • Local time:01:49 AM

Posted 21 April 2009 - 06:35 AM

The previous post was the first I've heard of Combofix, where do I get it from?

#10 amelchio

amelchio
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
    •  
  • Local time:01:49 AM

Posted 21 April 2009 - 07:42 AM

ok, Just ignore the previous post from me. I found combofix and the useful how to on the forums.


I'm going to post the results of that first, because you haven't seen them yet and I have no idea as to whether they are useful. Then the OTviewIt results. I hope that's OK.



ComboFix 09-04-21.A1 - Adrian 04/21/2009 22:27.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1628 [GMT 10:00]
Running from: c:\documents and settings\Adrian\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\_000110_.tmp.dll
c:\windows\system32\drivers\ovfsthhrquqowqpotmpardkmovcttytyyvnhnq.sys
c:\windows\system32\ovfsthgjgypldrrxhxfobyoqfgmythuudyulgv.dat
c:\windows\system32\ovfsthoadeiqojwlrsnyaxagqfkurowpibeekk.dll
c:\windows\system32\ovfsthovlvitlpgqkjlqqujunbiwrqsmmbivma.dll
c:\windows\system32\ovfsthpmpnwipnmiqopmylivjjvhwfoqfuenrq.dll
c:\windows\system32\ovfsthyxypjwymkfxjiuxqafyiydlwjyeitnta.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ovfsthxmltkbaomlxdpeeujxtudpmpklvlbuut


((((((((((((((((((((((((( Files Created from 2009-03-21 to 2009-04-21 )))))))))))))))))))))))))))))))
.

2009-04-21 10:31 . 2009-04-21 10:33 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-21 10:13 . 2009-04-21 10:13 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-04-21 08:52 . 2009-04-21 08:52 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-04-21 03:48 . 2009-04-21 03:48 -------- d-----w c:\documents and settings\Adrian\Application Data\Malwarebytes
2009-04-21 03:48 . 2009-04-06 05:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-21 03:48 . 2009-04-06 05:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-21 03:48 . 2009-04-21 03:48 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-21 03:45 . 2009-04-21 03:45 -------- d-----w C:\_OTMoveIt
2009-04-21 03:32 . 2009-04-21 03:32 15000 ----a-w c:\windows\system32\sf87wuijndoio43j.dll
2009-04-17 08:33 . 2009-04-17 08:33 118 ----a-w c:\windows\system32\MRT.INI
2009-04-17 07:11 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-17 07:11 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-17 07:11 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-17 07:11 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-17 07:11 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-17 07:11 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-17 07:11 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-17 07:11 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-17 07:11 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-17 07:10 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-17 07:10 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-11 14:57 . 2009-04-20 10:49 54156 ---ha-w c:\windows\QTFont.qfn
2009-04-11 14:57 . 2009-04-11 14:57 1409 ----a-w c:\windows\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-21 10:33 . 2009-04-21 10:31 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-21 03:48 . 2009-04-21 03:48 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-21 03:39 . 2009-03-01 07:18 -------- d-----w c:\documents and settings\Adrian\Application Data\WTablet
2009-04-18 13:58 . 2007-02-07 03:38 231547 ----a-w c:\windows\system32\nvModes.dat
2009-04-18 04:53 . 2008-05-01 07:15 -------- d-----w c:\program files\McAfee
2009-04-17 10:00 . 2007-02-08 05:06 -------- d-----w c:\program files\World of Warcraft
2009-04-15 21:28 . 2007-12-13 13:30 -------- d-----w c:\documents and settings\Adrian\Application Data\Azureus
2009-04-09 13:55 . 2007-12-04 11:25 -------- d-----w c:\program files\eMule
2009-04-02 09:43 . 2008-08-03 07:31 -------- d-----w c:\program files\Diablo II
2009-03-25 01:06 . 2008-05-01 07:16 40552 ----a-w c:\windows\system32\drivers\mfesmfk.sys
2009-03-25 01:06 . 2008-05-01 07:16 79880 ----a-w c:\windows\system32\drivers\mfeavfk.sys
2009-03-25 01:06 . 2008-05-01 07:16 35272 ----a-w c:\windows\system32\drivers\mfebopk.sys
2009-03-25 01:06 . 2008-05-01 07:16 214024 ----a-w c:\windows\system32\drivers\mfehidk.sys
2009-03-25 01:05 . 2008-05-01 07:16 34216 ----a-w c:\windows\system32\drivers\mferkdk.sys
2009-03-21 14:50 . 2008-09-06 03:22 -------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2009-03-15 06:00 . 2009-03-15 04:17 -------- d-----w c:\program files\DivX
2009-03-15 05:59 . 2009-03-15 04:17 -------- d-----w c:\program files\Common Files\DivX Shared
2009-03-15 04:18 . 2009-03-15 04:18 -------- d-----w c:\documents and settings\Adrian\Application Data\DivX
2009-03-06 14:22 . 2004-08-04 10:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 12:44 . 2007-05-12 02:48 83728 -c--a-w c:\documents and settings\Adrian\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-03 12:29 . 2008-04-29 12:52 -------- d-----w c:\program files\IDoser v4
2009-03-03 00:18 . 2006-03-04 03:33 826368 ----a-w c:\windows\system32\wininet.dll
2009-03-01 08:29 . 2009-03-01 08:29 -------- d-----w c:\documents and settings\LocalService\Application Data\WTablet
2009-03-01 07:45 . 2009-03-01 07:45 -------- d-----w c:\program files\Corel
2009-03-01 07:45 . 2009-03-01 07:45 -------- d-----w c:\documents and settings\All Users\Application Data\Corel
2009-03-01 07:43 . 2009-03-01 07:43 -------- d-----w c:\program files\Common Files\Macrovision Shared
2009-03-01 07:37 . 2006-07-23 17:00 43528 ------w c:\windows\system32\drivers\pxhelp20.sys
2009-03-01 07:31 . 2007-12-25 07:34 43520 ----a-w c:\windows\system32\CmdLineExt03.dll
2009-03-01 07:17 . 2009-03-01 07:17 -------- d-----w c:\program files\Tablet
2009-02-28 14:03 . 2007-11-28 02:15 -------- d-----w c:\program files\Azureus
2009-02-26 12:23 . 2009-02-26 12:23 -------- d-----w c:\program files\Telltale Games
2009-02-20 18:09 . 2004-08-04 10:00 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2004-08-04 10:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-04 10:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-04 10:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-04 10:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2004-08-04 10:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 11:11 . 2004-08-04 10:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2005-03-30 01:21 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-04 10:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2005-03-30 01:01 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2004-08-04 10:00 56832 ----a-w c:\windows\system32\secur32.dll
2009-01-27 01:35 . 2009-03-01 07:38 129784 ------w c:\windows\system32\pxafs.dll
2009-01-27 01:35 . 2009-03-01 07:38 120056 ------w c:\windows\system32\pxcpyi64.exe
2009-01-27 01:35 . 2009-03-01 07:38 118520 ------w c:\windows\system32\pxinsi64.exe
2009-01-27 01:34 . 2009-01-27 01:34 90112 ----a-w c:\windows\system32\dpl100.dll
2009-01-27 01:34 . 2009-01-27 01:34 823296 ----a-w c:\windows\system32\divx_xx0c.dll
2009-01-27 01:34 . 2009-01-27 01:34 823296 ----a-w c:\windows\system32\divx_xx07.dll
2009-01-27 01:34 . 2009-01-27 01:34 815104 ----a-w c:\windows\system32\divx_xx0a.dll
2009-01-27 01:34 . 2009-01-27 01:34 802816 ----a-w c:\windows\system32\divx_xx11.dll
2009-01-27 01:34 . 2009-01-27 01:34 684032 ----a-w c:\windows\system32\DivX.dll
2008-12-20 21:22 . 2008-12-20 21:22 178384 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2007-10-10 12:14 . 2008-05-17 08:35 1098222708 -c--a-w c:\program files\source materials.gcf
2007-10-10 12:14 . 2008-05-17 08:38 1023142824 -c--a-w c:\program files\source sounds.gcf
2007-10-10 12:14 . 2008-05-17 08:37 471408852 -c--a-w c:\program files\source models.gcf
2007-10-10 12:14 . 2008-05-17 08:41 168173116 -c--a-w c:\program files\portal english.gcf
2007-10-10 12:14 . 2008-05-17 08:39 1033441492 -c--a-w c:\program files\portal content.gcf
2007-10-10 12:14 . 2008-05-17 08:33 306105372 -c--a-w c:\program files\source 2007 binaries.gcf
2007-10-10 12:14 . 2008-05-17 08:34 1032871080 -c--a-w c:\program files\source 2007 shared materials.gcf
2007-10-10 12:14 . 2008-05-17 08:35 2373924 -c--a-w c:\program files\source 2007 shared sounds.gcf
2007-10-10 12:14 . 2008-05-17 08:35 155492024 -c--a-w c:\program files\source 2007 shared models.gcf
2009-01-27 01:2009-01-27 01:34 34:38 . c:\program files\mozilla firefox\plugins\libdivx.dll
2009-01-27 01:2009-01-27 01:34 34:38 . c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-11 8527872]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"Diagnostic Manager"=c:\docume~1\Adrian\LOCALS~1\Temp\571544160.exe
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe"
"swg"=c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"Dell QuickSet"=c:\program files\Dell\QuickSet\quickset.exe
"dla"=c:\windows\system32\dla\tfswctrl.exe
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe"
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe"
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" /runkey
"NVHotkey"=rundll32.exe nvHotkey.dll,Start
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"nwiz"=nwiz.exe /installquiet
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe"
"SigmatelSysTrayApp"=stsystra.exe
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_10\bin\jusched.exe"
"SynTPEnh"=c:\program files\Synaptics\SynTP\SynTPEnh.exe
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"Ulead AutoDetector"=c:\program files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.6.6337-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.6.6337-to-2.0.7.6383-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.7.6383-to-2.0.8.6403-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.8.6403-to-2.0.10.6448-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.10.6448-to-2.0.12.6546-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R3 cdiskdun;cdiskdun; [x]
R3 PAC7311;VGA USB Camera;c:\windows\system32\DRIVERS\PA707UCM.SYS [2006-04-13 155648]
S2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [2007-09-10 124832]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-02-11 210216]
S2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2007-09-07 1373480]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2c6b9f02-063b-11de-9696-00188bad5254}]
\Shell\AutoRun\command - wd_windows_tools\WDSetup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{64dc60ec-18ce-11de-96c9-00188bad5254}]
\Shell\AutoRun\command - explorer .
\Shell\mobile\command - E:\MobileLaunch.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f6737213-c700-11db-91fc-00188bad5254}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-03-14 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-05-01 23:53]

2009-02-28 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-05-01 23:53]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mWindow Title = Windows Internet Explorer provided by Comcast
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
FF - ProfilePath - c:\documents and settings\Adrian\Application Data\Mozilla\Firefox\Profiles\qw6rv3go.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJPI150_10.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPOJI610.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-21 22:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1957994488-630328440-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:5e,be,a8,7f,c2,28,2a,8f,45,a0,25,d6,72,e6,df,82,2e,d5,cd,7a,3e,ff,2f,
50,43,f3,a2,de,fc,84,e7,09,2e,3a,09,3f,ce,95,50,59,a8,59,19,6f,d5,65,d3,bc,\
"??"=hex:63,e0,5f,ee,4f,76,d2,38,c5,56,ab,83,a5,b1,e8,20

[HKEY_USERS\S-1-5-21-1957994488-630328440-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:25,b6,c0,6b,b9,1d,d3,a2,78,03,89,b6,30,ad,2e,af,17,0e,9d,bf,e0,
85,1d,18,cd,63,b5,38,9a,a5,97,b5,6f,a4,9b,05,8e,f4,6f,4e,77,48,4a,24,dc,85,\
"rkeysecu"=hex:57,94,b2,4d,4c,cd,fe,bf,32,a3,20,a6,ce,19,23,b7
.
Completion time: 2009-04-21 22:31
ComboFix-quarantined-files.txt 2009-04-21 12:31

Pre-Run: 25,546,702,848 bytes free
Post-Run: 25,526,124,544 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

243 --- E O F --- 2009-04-17 08:34

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

OTViewIt logfile created on: 4/21/2009 10:34:27 PM - Run 5
OTViewIt by OldTimer - Version 1.0.21.0 Folder = C:\Documents and Settings\Adrian\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.57 Gb Available Physical Memory | 78.59% Memory free
3.85 Gb Paging File | 3.58 Gb Available in Paging File | 93.06% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 68.36 Gb Total Space | 23.79 Gb Free Space | 34.80% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: VALINDRA
Current User Name: Adrian
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days

========== Processes ==========

[2005/12/28 10:45:02 | 00,114,753 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
[2005/12/28 10:47:10 | 00,540,745 | ---- | M] (Intel Corporation ) -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
[2005/12/28 11:04:56 | 00,262,217 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
[2007/09/10 23:45:04 | 00,124,832 | ---- | M] () -- C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
[2009/02/11 10:06:36 | 00,210,216 | ---- | M] () -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
[2009/01/08 19:30:26 | 00,797,864 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe
[2009/01/09 10:31:16 | 02,482,848 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
[2009/01/09 07:06:52 | 00,359,952 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
[2009/03/25 11:05:48 | 00,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe
[2006/08/03 17:50:46 | 00,380,928 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
[2007/12/11 13:06:00 | 00,155,716 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe
[2005/12/28 10:44:24 | 00,217,164 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
[2007/01/08 22:39:44 | 00,171,040 | ---- | M] () -- C:\Program Files\CyberLink\Shared Files\RichVideo.exe
[2005/01/14 08:32:00 | 00,053,248 | ---- | M] () -- C:\WINDOWS\system32\PAStiSvc.exe
[2007/09/08 04:16:18 | 01,373,480 | ---- | M] (Wacom Technology, Corp.) -- C:\WINDOWS\system32\Pen_Tablet.exe
[2004/03/13 03:04:16 | 00,049,152 | ---- | M] (Ulead Systems, Inc.) -- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
[2007/09/08 04:16:18 | 01,373,480 | ---- | M] (Wacom Technology, Corp.) -- C:\WINDOWS\system32\Pen_Tablet.exe
[2009/02/06 20:10:02 | 00,227,840 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\wmiprvse.exe
[2009/03/19 11:42:02 | 00,884,360 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MpfSrv.exe
[2008/04/14 10:12:29 | 00,069,120 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\notepad.exe
[2009/04/20 10:07:36 | 00,422,912 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Adrian\Desktop\OTViewIt.exe

========== (O23) Win32 Services ==========

[2007/09/10 23:45:04 | 00,124,832 | ---- | M] () -- C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe -- (AdobeActiveFileMonitor6.0 [Auto | Running])
[2007/10/24 01:47:22 | 00,033,800 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
[2007/10/24 01:47:40 | 00,070,144 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
[2005/12/28 10:45:02 | 00,114,753 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe -- (EvtEng [Auto | Running])
[2009/03/01 17:43:01 | 00,654,848 | ---- | M] (Macrovision Europe Ltd.) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service [On_Demand | Stopped])
[2007/10/09 11:58:12 | 00,036,864 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
[2009/01/16 16:21:40 | 00,137,200 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc [On_Demand | Stopped])
[2007/10/11 08:55:10 | 00,864,256 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
[2009/02/11 10:06:36 | 00,210,216 | ---- | M] () -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service [Auto | Running])
[2009/01/08 19:30:26 | 00,797,864 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc [Auto | Running])
[2009/01/09 10:31:16 | 02,482,848 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe -- (McNASvc [Auto | Running])
[2009/04/01 14:21:30 | 00,365,072 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS [On_Demand | Stopped])
[2009/01/09 07:06:52 | 00,359,952 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy [Auto | Running])
[2009/03/25 11:05:48 | 00,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe -- (McShield [Unknown | Running])
[2009/03/24 00:03:18 | 00,606,736 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon [Disabled | Stopped])
[2009/03/19 11:42:02 | 00,884,360 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MpfSrv.exe -- (MpfService [On_Demand | Running])
[2007/10/11 08:55:14 | 00,122,880 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
[2006/08/03 17:50:46 | 00,380,928 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\QuickSet\NicConfigSvc.exe -- (NICCONFIGSVC [Auto | Running])
[2007/12/11 13:06:00 | 00,155,716 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc [Auto | Running])
[2003/07/28 11:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
[2005/12/28 10:44:24 | 00,217,164 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe -- (RegSrvc [Auto | Running])
[2007/01/08 22:39:44 | 00,171,040 | ---- | M] () -- C:\Program Files\CyberLink\Shared Files\RichVideo.exe -- (RichVideo [Auto | Running])
[2005/12/28 10:47:10 | 00,540,745 | ---- | M] (Intel Corporation ) -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe -- (S24EventMonitor [Auto | Running])
[2005/01/14 08:32:00 | 00,053,248 | ---- | M] () -- C:\WINDOWS\system32\PAStiSvc.exe -- (STI Simulator [Auto | Running])
[2007/09/08 04:16:18 | 01,373,480 | ---- | M] (Wacom Technology, Corp.) -- C:\WINDOWS\system32\Pen_Tablet.exe -- (TabletServicePen [Auto | Running])
[2004/03/13 03:04:16 | 00,049,152 | ---- | M] (Ulead Systems, Inc.) -- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe -- (UleadBurningHelper [Auto | Running])
[2005/12/28 11:04:56 | 00,262,217 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe -- (WLANKEEPER [Auto | Running])
[2006/10/18 20:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])

========== Driver Services ==========

[2007/02/07 13:35:45 | 00,021,275 | ---- | M] (Meetinghouse Data Communications) -- C:\WINDOWS\system32\drivers\AegisP.sys -- (AegisP [Auto | Running])
[2005/08/12 16:50:46 | 00,016,128 | ---- | M] (Dell Inc) -- C:\WINDOWS\system32\drivers\APPDRV.SYS -- (APPDRV [System | Running])
[1997/12/23 13:02:46 | 00,023,936 | ---- | M] (Adaptec) -- C:\WINDOWS\System32\drivers\aspi32.sys -- (Aspi32 [Auto | Running])
[2007/07/18 10:38:43 | 00,278,728 | ---- | M] () -- C:\WINDOWS\system32\drivers\atksgt.sys -- (atksgt [Auto | Running])
[2006/08/17 07:55:16 | 00,044,544 | R--- | M] (Broadcom Corporation) -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys -- (bcm4sbxp [On_Demand | Running])
File not found -- -- (catchme [Disabled | Running])
[2004/12/14 07:14:00 | 00,039,904 | ---- | M] (Adaptec, Inc.) -- C:\WINDOWS\System32\drivers\cercsr6.sys -- (cercsr6 [Boot | Stopped])
[2005/02/02 02:22:00 | 00,088,080 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\drivers\drvmcdb.sys -- (drvmcdb [Boot | Running])
[2004/12/23 01:56:00 | 00,040,544 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\drivers\drvnddm.sys -- (drvnddm [Auto | Running])
[2008/04/14 02:36:05 | 00,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus [On_Demand | Running])
[2005/12/01 00:40:56 | 00,936,960 | ---- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\system32\drivers\HSX_DPV.sys -- (HSF_DPV [On_Demand | Running])
[2005/12/01 00:40:12 | 00,192,512 | ---- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\system32\drivers\HSXHWAZL.sys -- (HSXHWAZL [On_Demand | Running])
[2008/04/14 04:39:48 | 00,014,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\kbdhid.sys -- (kbdhid [System | Running])
[2007/07/18 10:38:43 | 00,025,416 | ---- | M] () -- C:\WINDOWS\system32\drivers\lirsgt.sys -- (lirsgt [Auto | Running])
[2005/10/04 22:57:08 | 00,012,544 | ---- | M] (Conexant) -- C:\WINDOWS\system32\drivers\mdmxsdk.sys -- (mdmxsdk [Auto | Running])
[2009/03/25 11:06:28 | 00,079,880 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk [On_Demand | Running])
[2009/03/25 11:06:28 | 00,035,272 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk [On_Demand | Running])
[2009/03/25 11:06:28 | 00,214,024 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk [System | Running])
[2009/03/25 11:05:54 | 00,034,216 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mferkdk.sys -- (mferkdk [On_Demand | Stopped])
[2009/03/25 11:06:30 | 00,040,552 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mfesmfk.sys -- (mfesmfk [On_Demand | Stopped])
[2008/10/23 12:08:54 | 00,120,136 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\Mpfp.sys -- (MPFP [System | Running])
[2007/12/11 13:06:00 | 07,438,624 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv [On_Demand | Running])
[2006/04/13 16:28:28 | 00,155,648 | ---- | M] (PixArt Imaging Inc.) -- C:\WINDOWS\system32\drivers\PA707UCM.SYS -- (PAC7311 [On_Demand | Stopped])
[2004/08/04 20:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink [On_Demand | Running])
[2009/03/01 17:37:49 | 00,043,528 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\drivers\pxhelp20.sys -- (PxHelp20 [Boot | Running])
[2005/07/14 17:58:14 | 00,028,544 | ---- | M] (REDC) -- C:\WINDOWS\system32\drivers\rimmptsk.sys -- (rimmptsk [On_Demand | Running])
[2005/07/12 18:00:30 | 00,051,328 | ---- | M] (REDC) -- C:\WINDOWS\system32\drivers\rimsptsk.sys -- (rimsptsk [On_Demand | Running])
[2005/07/14 16:28:38 | 00,307,968 | ---- | M] (REDC) -- C:\WINDOWS\system32\drivers\rixdptsk.sys -- (rismxdp [On_Demand | Running])
[2005/12/28 12:22:08 | 00,013,568 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans [Auto | Running])
[2008/04/14 04:36:44 | 00,079,232 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\sdbus.sys -- (sdbus [On_Demand | Running])
[2007/11/13 20:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv [Auto | Running])
[2004/12/02 10:04:20 | 00,005,627 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\drivers\sscdbhk5.sys -- (sscdbhk5 [System | Running])
[2004/12/02 10:04:10 | 00,023,545 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\drivers\ssrtln.sys -- (ssrtln [System | Running])
[2006/03/24 16:34:30 | 01,156,648 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA [On_Demand | Running])
[2006/03/08 11:35:10 | 00,191,872 | ---- | M] (Synaptics, Inc.) -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP [On_Demand | Running])
[2005/03/16 04:33:00 | 00,025,725 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\dla\tfsnboio.sys -- (tfsnboio [Auto | Running])
[2005/03/16 04:33:00 | 00,034,845 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\dla\tfsncofs.sys -- (tfsncofs [Auto | Running])
[2005/03/16 04:33:00 | 00,004,125 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\dla\tfsndrct.sys -- (tfsndrct [Auto | Running])
[2005/03/16 04:33:00 | 00,002,241 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\dla\tfsndres.sys -- (tfsndres [Auto | Running])
[2005/03/16 04:33:00 | 00,086,684 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\dla\tfsnifs.sys -- (tfsnifs [Auto | Running])
[2005/03/16 04:33:00 | 00,014,877 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\dla\tfsnopio.sys -- (tfsnopio [Auto | Running])
[2005/03/16 04:33:00 | 00,006,365 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\dla\tfsnpool.sys -- (tfsnpool [Auto | Running])
[2005/03/16 04:33:00 | 00,098,716 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\dla\tfsnudf.sys -- (tfsnudf [Auto | Running])
[2005/03/16 04:33:00 | 00,100,605 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\dla\tfsnudfa.sys -- (tfsnudfa [Auto | Running])
[2008/04/14 04:45:12 | 00,060,032 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio [On_Demand | Stopped])
[2005/12/04 23:55:30 | 01,428,096 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\system32\drivers\w39n51.sys -- (w39n51 [On_Demand | Running])
[2007/02/17 05:12:36 | 00,011,312 | ---- | M] (Wacom Technology) -- C:\WINDOWS\system32\drivers\wacommousefilter.sys -- (wacommousefilter [On_Demand | Running])
[2007/02/17 04:30:12 | 00,012,848 | ---- | M] (Wacom Technology) -- C:\WINDOWS\system32\drivers\wacomvhid.sys -- (wacomvhid [On_Demand | Running])
[2007/02/16 10:11:28 | 00,011,440 | ---- | M] (Wacom Technology) -- C:\WINDOWS\system32\drivers\WacomVKHid.sys -- (WacomVKHid [On_Demand | Running])
[2005/12/01 00:40:08 | 00,669,696 | ---- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\system32\drivers\HSX_CNXT.sys -- (winachsf [On_Demand | Running])
[2008/04/14 04:36:38 | 00,008,832 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\wmiacpi.sys -- (WmiAcpi [System | Running])
[2004/08/04 20:00:00 | 00,012,032 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\ws2ifsl.sys -- (WS2IFSL [System | Running])

========== (R ) Internet Explorer ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL"=http://go.microsoft.com/fwlink/?LinkId=69157
"Default_Search_URL"=http://go.microsoft.com/fwlink/?LinkId=54896
"Default_Secondary_Page_URL"=
"Extensions Off Page"=about:NoAdd-ons
"Local Page"=%SystemRoot%\system32\blank.htm
"Search Page"=http://go.microsoft.com/fwlink/?LinkId=54896
"Security Risk Page"=about:SecurityRisk
"Start Page"=http://go.microsoft.com/fwlink/?LinkId=69157

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
"CustomizeSearch"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
"Default_Search_URL"=http://www.google.com/ie
"SearchAssistant"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=C:\WINDOWS\system32\blank.htm
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"SearchMigratedDefaultName"=Google
"SearchMigratedDefaultURL"=http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
"Start Page"=http://www.google.com/

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL]
""=http://www.google.com/search?q=%s

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main]
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main]
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-21-1957994488-630328440-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=C:\WINDOWS\system32\blank.htm
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"SearchMigratedDefaultName"=Google
"SearchMigratedDefaultURL"=http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
"Start Page"=http://www.google.com/

[HKEY_USERS\S-1-5-21-1957994488-630328440-839522115-1003\Software\Microsoft\Internet Explorer\SearchURL]
""=http://www.google.com/search?q=%s

[HKEY_USERS\S-1-5-21-1957994488-630328440-839522115-1003\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-1957994488-630328440-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

========== (O1) Hosts File ==========

HOSTS File = (306417 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
First 25 entries...
127.0.0.1 localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.100888290cs.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100sexlinks.com
127.0.0.1 100sexlinks.com
127.0.0.1 www.10sek.com
127.0.0.1 10sek.com
127.0.0.1 www.123topsearch.com
127.0.0.1 123topsearch.com
127.0.0.1 www.132.com
127.0.0.1 132.com
127.0.0.1 www.136136.net
127.0.0.1 136136.net
127.0.0.1 www.163ns.com
127.0.0.1 163ns.com
10551 more lines...

========== (O3) Toolbars ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
"{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064}" (HKLM) -- c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" (HKLM) -- C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" (HKLM) -- C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" (HKLM) -- C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()

[HKEY_USERS\S-1-5-21-1957994488-630328440-839522115-1003\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" (HKLM) -- C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()

[HKEY_USERS\S-1-5-21-1957994488-630328440-839522115-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" (HKLM) -- C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()

========== (O4) Run Keys ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup (NVIDIA Corporation)

========== (O4) Startup Folders ==========


========== (O6 & O7) Current Version Policies ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"HonorAutoRunSetting"=1
"NoCDBurning"=0
"NoDriveAutoRun"=67108863
"NoDriveTypeAutoRun"=323
"NoDrives"=0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"DisableRegistryTools"=0

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-21-1957994488-630328440-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

========== (O8) IE Context Menu Extensions ==========

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\]
E&xport to Microsoft Excel: C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE [2004/05/18 16:58:40 | 10,080,960 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-1957994488-630328440-839522115-1003\Software\Microsoft\Internet Explorer\MenuExt\]
E&xport to Microsoft Excel: C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE [2004/05/18 16:58:40 | 10,080,960 | ---- | M] (Microsoft Corporation)

========== (O9) IE Extensions ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}: Menu: Sun Java Console -- %ProgramFiles%\Java\jre1.5.0_10\bin\NPJPI150_10.dll [2006/11/09 14:21:53 | 00,075,528 | ---- | M] (Sun Microsystems, Inc.)
{92780B25-18CC-41C8-B9BE-3C9C571A8263}: Button: Research -- %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [2003/07/14 21:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
{e2e2dd38-d088-4134-82b7-f2ba38496583}: Menu: @xpsp3res.dll,-20001 -- %SystemRoot%\network diagnostic\xpnetdiag.exe [2008/04/14 04:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Button: Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2008/04/14 10:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Menu: Windows Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2008/04/14 10:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %ProgramFiles%\Java\jre1.5.0_10\bin\NPJPI150_10.dll [Sun Java Console] -> [2006/11/09 14:21:53 | 00,075,528 | ---- | M] (Sun Microsystems, Inc.)
CmdMapping\\{39FD89BF-D3F1-45b6-BB56-3582CCF489E1} [HKLM] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [Research] -> [2003/07/14 21:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
CmdMapping\\{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} [HKLM] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2008/04/14 10:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2008/04/14 10:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2008/04/14 10:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-1957994488-630328440-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %ProgramFiles%\Java\jre1.5.0_10\bin\NPJPI150_10.dll [Sun Java Console] -> [2006/11/09 14:21:53 | 00,075,528 | ---- | M] (Sun Microsystems, Inc.)
CmdMapping\\{39FD89BF-D3F1-45b6-BB56-3582CCF489E1} [HKLM] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [Research] -> [2003/07/14 21:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
CmdMapping\\{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} [HKLM] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2008/04/14 10:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)

========== (O12) Internet Explorer Plugins ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\]
PluginsPage: "" = http://activex.microsoft.com/controls/find...=%s&mime=%s
PluginsPageFriendlyName: "" = Microsoft ActiveX Gallery

========== (O13) Default Prefixes ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
""=http://

========== (O15) Trusted Sites ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
51 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
internet: about in Trusted sites
mcafee.com: http in Trusted sites
mcafee.com: https in Trusted sites
51 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
51 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
51 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
33 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
33 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_USERS\S-1-5-21-1957994488-630328440-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
internet: about in Trusted sites
mcafee.com: http in Trusted sites
mcafee.com: https in Trusted sites
51 domain(s) and sub-domain(s) not assigned to a zone.

========== (O16) DPF ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\]
{39B0684F-D7BF-4743-B050-FDC3F48F7E3B}: http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab -- Reg Error: Key does not exist or could not be opened.
{4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}: http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab -- Reg Error: Key does not exist or could not be opened.
{8AD9C840-044E-11D1-B3E9-00805F499D93}: http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab -- Java Plug-in 1.5.0_10
{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}: http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab -- Java Plug-in 1.5.0_06
{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}: http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab -- Java Plug-in 1.5.0_10
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}: http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab -- Java Plug-in 1.5.0_10
{D27CDB6E-AE6D-11CF-96B8-444553540000}: http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab -- Shockwave Flash Object

========== (O17) DNS Name Servers ==========

{19DCA668-BE27-4F07-BF17-47518A4A4D76} (Servers: | Description: Intel® PRO/Wireless 3945ABG Network Connection)
{6E2E535A-E47A-404F-A698-1A945BEFF5FF} (Servers: | Description: 1394 Net Adapter)
{DD7E0E9B-376B-499C-9B34-5E1A41815853} (Servers: | Description: Broadcom 440x 10/100 Integrated Controller)

========== Safeboot Options ==========

"AlternateShell"=cmd.exe

========== CDRom AutoRun Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun" = 1

========== Autorun Files on Drives ==========

AUTOEXEC.BAT []
[2007/02/07 13:03:11 | 00,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT -- [ NTFS ]


========== MountPoints2 ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2c6b9f02-063b-11de-9696-00188bad5254}\Shell\AutoRun\command]
""=wd_windows_tools\WDSetup.exe


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{64dc60ec-18ce-11de-96c9-00188bad5254}\Shell\AutoRun\command]
""=explorer .


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{64dc60ec-18ce-11de-96c9-00188bad5254}\Shell\mobile\command]
""=E:\MobileLaunch.exe -- File not found

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f6737213-c700-11db-91fc-00188bad5254}\Shell]
""=AutoRun

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f6737213-c700-11db-91fc-00188bad5254}\Shell\AutoRun]
""=Auto&Play


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f6737213-c700-11db-91fc-00188bad5254}\Shell\AutoRun\command]
""=E:\LaunchU3.exe -- File not found

========== Files/Folders - Created Within 30 Days ==========

[6 C:\WINDOWS\*.tmp files]
[2009/04/21 22:17:22 | 00,000,211 | ---- | C] () -- C:\Boot.bak
[2009/04/21 22:17:18 | 00,260,272 | ---- | C] () -- C:\cmldr
[2009/04/21 22:17:18 | 00,000,000 | RHSD | C] -- C:\cmdcons
[2009/04/21 22:15:49 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2009/04/21 22:15:49 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2009/04/21 22:15:49 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2009/04/21 22:15:49 | 00,109,568 | ---- | C] () -- C:\WINDOWS\vFind.exe
[2009/04/21 22:15:49 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2009/04/21 22:15:49 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2009/04/21 22:15:49 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2009/04/21 22:15:49 | 00,029,696 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2009/04/21 22:15:46 | 00,000,000 | ---D | C] -- C:\ComboFix
[2009/04/21 22:12:38 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/04/21 22:11:05 | 02,999,414 | R--- | C] () -- C:\Documents and Settings\Adrian\Desktop\ComboFix.exe
[2009/04/21 20:32:04 | 00,000,933 | ---- | C] () -- C:\Documents and Settings\Adrian\Desktop\Spybot - Search & Destroy.lnk
[2009/04/21 20:31:59 | 00,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2009/04/21 20:31:59 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2009/04/21 20:28:47 | 07,646,136 | ---- | C] (Safer Networking Limited ) -- C:\Documents and Settings\Adrian\Desktop\runalyz.exe
[2009/04/21 20:26:52 | 16,409,960 | ---- | C] (Safer Networking Limited ) -- C:\Documents and Settings\Adrian\Desktop\spybotsd162.exe
[2009/04/21 13:53:18 | 02,209,616 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Adrian\Desktop\mbam-rules.exe
[2009/04/21 13:48:39 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Adrian\Application Data\Malwarebytes
[2009/04/21 13:48:38 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/04/21 13:48:37 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/04/21 13:48:35 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/04/21 13:48:34 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/04/21 13:48:34 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/04/21 13:45:12 | 00,000,000 | ---D | C] -- C:\_OTMoveIt
[2009/04/21 13:44:25 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/04/21 13:43:46 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Adrian\Desktop\erunt
[2009/04/21 13:32:57 | 00,015,000 | ---- | C] () -- C:\WINDOWS\System32\sf87wuijndoio43j.dll
[2009/04/21 13:29:36 | 00,513,320 | ---- | C] () -- C:\Documents and Settings\Adrian\Desktop\erunt.zip
[2009/04/21 13:28:28 | 02,967,816 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Adrian\Desktop\mbam-setup.exe
[2009/04/21 13:28:17 | 00,389,632 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Adrian\Desktop\OTMoveIt3.exe
[2009/04/20 10:16:39 | 00,240,128 | -HS- | C] () -- C:\Documents and Settings\Adrian\My Documents\Thumbs.db
@Alternate Data Stream - 0 bytes -> C:\Documents and Settings\Adrian\My Documents\Thumbs.db:encryptable
[2009/04/20 10:07:33 | 00,422,912 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Adrian\Desktop\OTViewIt.exe
[2009/04/20 09:58:21 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Adrian\Desktop\gmer
[2009/04/20 09:52:28 | 00,278,161 | ---- | C] () -- C:\Documents and Settings\Adrian\Desktop\gmer.zip
[2009/04/19 14:28:14 | 00,360,021 | ---- | C] () -- C:\Documents and Settings\Adrian\Desktop\dds(2).scr
[2009/04/19 14:27:10 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\Adrian\Desktop\dds.scr
[2009/04/19 14:27:07 | 00,252,537 | ---- | C] () -- C:\Documents and Settings\Adrian\Desktop\dds.scr.part
[2009/04/19 13:14:52 | 00,212,849 | ---- | C] () -- C:\Documents and Settings\Adrian\Desktop\hijackthis.zip
[2009/04/17 18:33:03 | 00,000,118 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2009/04/17 17:11:43 | 00,284,160 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\pdh.dll
[2009/04/17 17:11:41 | 00,401,408 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\rpcss.dll
[2009/04/17 17:11:40 | 00,110,592 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\services.exe
[2009/04/17 17:11:39 | 00,473,600 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fastprox.dll
[2009/04/17 17:11:37 | 00,227,840 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmiprvse.exe
[2009/04/17 17:11:36 | 00,453,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmiprvsd.dll
[2009/04/17 17:11:33 | 00,729,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\lsasrv.dll
[2009/04/17 17:11:32 | 00,617,472 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\advapi32.dll
[2009/04/17 17:11:30 | 00,714,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntdll.dll
[2009/04/17 17:10:19 | 00,002,560 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xpsp4res.dll
[2009/04/17 17:10:15 | 00,215,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wordpad.exe
[2009/04/16 23:53:50 | 00,018,432 | ---- | C] () -- C:\Documents and Settings\Adrian\My Documents\Book1_fit_dis_bleep.xls
[2009/04/12 23:02:39 | 00,078,513 | ---- | C] () -- C:\Documents and Settings\Adrian\My Documents\iobw10.jpg
[2009/04/12 23:00:12 | 00,073,322 | ---- | C] () -- C:\Documents and Settings\Adrian\My Documents\iobw4.jpg
[2009/04/12 22:58:21 | 00,077,769 | ---- | C] () -- C:\Documents and Settings\Adrian\My Documents\iobw7.jpg
[2009/04/12 22:33:25 | 00,111,241 | ---- | C] () -- C:\Documents and Settings\Adrian\My Documents\iobw14.jpg
[2009/04/12 00:57:46 | 00,054,156 | -H-- | C] () -- C:\WINDOWS\QTFont.qfn
[2009/04/12 00:57:46 | 00,001,409 | ---- | C] () -- C:\WINDOWS\QTFont.for
[2009/04/10 23:44:39 | 00,024,072 | ---- | C] () -- C:\Documents and Settings\Adrian\My Documents\n1.rtf
[2009/04/10 23:44:30 | 00,005,784 | ---- | C] () -- C:\Documents and Settings\Adrian\My Documents\g2.rtf
[2009/04/09 20:17:41 | 00,021,504 | ---- | C] () -- C:\Documents and Settings\Adrian\My Documents\Book1b.xls
[2009/04/04 10:57:20 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Adrian\Desktop\AuctioneerSuite-5.3.4105
[2009/04/04 10:55:29 | 03,024,963 | ---- | C] () -- C:\Documents and Settings\Adrian\Desktop\AuctioneerSuite-5.3.4105.zip
[2009/04/03 20:42:20 | 00,022,016 | ---- | C] () -- C:\Documents and Settings\Adrian\My Documents\Book1r.xls
[2009/04/02 13:48:11 | 00,145,451 | ---- | C] () -- C:\Documents and Settings\Adrian\My Documents\3399097433_4302ba4ea4.jpg
[2009/04/01 23:12:28 | 01,199,889 | ---- | C] () -- C:\Documents and Settings\Adrian\My Documents\FoolsGroveDelve.pdf
[2009/03/31 18:28:04 | 00,460,838 | ---- | C] () -- C:\Documents and Settings\Adrian\My Documents\58.jpg
[2009/03/30 22:28:53 | 00,029,184 | ---- | C] () -- C:\Documents and Settings\Adrian\My Documents\Book1_o.xls

========== Files - Modified Within 30 Days ==========

[4 C:\WINDOWS\System32\*.tmp files]
[6 C:\WINDOWS\*.tmp files]
[2009/04/21 22:31:33 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/04/21 22:31:30 | 00,526,212 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/04/21 22:31:30 | 00,444,656 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/04/21 22:31:30 | 00,072,496 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/04/21 22:30:05 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/04/21 22:27:03 | 00,231,547 | ---- | M] () -- C:\WINDOWS\System32\nvModes.001
[2009/04/21 22:26:54 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/04/21 22:25:42 | 00,024,113 | ---- | M] () -- C:\WINDOWS\System32\Config.MPF
[2009/04/21 22:17:22 | 00,000,281 | RHS- | M] () -- C:\boot.ini
[2009/04/21 22:11:19 | 02,999,414 | R--- | M] () -- C:\Documents and Settings\Adrian\Desktop\ComboFix.exe
[2009/04/21 21:58:21 | 03,728,984 | -H-- | M] () -- C:\Documents and Settings\Adrian\Local Settings\Application Data\IconCache.db
[2009/04/21 20:40:33 | 00,306,417 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/04/21 20:32:04 | 00,000,933 | ---- | M] () -- C:\Documents and Settings\Adrian\Desktop\Spybot - Search & Destroy.lnk
[2009/04/21 20:29:25 | 07,646,136 | ---- | M] (Safer Networking Limited ) -- C:\Documents and Settings\Adrian\Desktop\runalyz.exe
[2009/04/21 20:28:27 | 16,409,960 | ---- | M] (Safer Networking Limited ) -- C:\Documents and Settings\Adrian\Desktop\spybotsd162.exe
[2009/04/21 20:17:05 | 00,289,296 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/04/21 13:53:24 | 02,209,616 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Adrian\Desktop\mbam-rules.exe
[2009/04/21 13:48:38 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/04/21 13:39:18 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/04/21 13:32:57 | 00,015,000 | ---- | M] () -- C:\WINDOWS\System32\sf87wuijndoio43j.dll
[2009/04/21 13:29:37 | 00,513,320 | ---- | M] () -- C:\Documents and Settings\Adrian\Desktop\erunt.zip
[2009/04/21 13:28:38 | 02,967,816 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Adrian\Desktop\mbam-setup.exe
[2009/04/21 13:28:19 | 00,389,632 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Adrian\Desktop\OTMoveIt3.exe
[2009/04/21 09:58:08 | 00,109,568 | ---- | M] () -- C:\WINDOWS\vFind.exe
[2009/04/20 21:06:46 | 00,147,968 | ---- | M] () -- C:\Documents and Settings\Adrian\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/04/20 20:49:37 | 00,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2009/04/20 17:57:09 | 00,240,128 | -HS- | M] () -- C:\Documents and Settings\Adrian\My Documents\Thumbs.db
@Alternate Data Stream - 0 bytes -> C:\Documents and Settings\Adrian\My Documents\Thumbs.db:encryptable
[2009/04/20 10:07:36 | 00,422,912 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Adrian\Desktop\OTViewIt.exe
[2009/04/20 09:52:29 | 00,278,161 | ---- | M] () -- C:\Documents and Settings\Adrian\Desktop\gmer.zip
[2009/04/19 14:28:15 | 00,360,021 | ---- | M] () -- C:\Documents and Settings\Adrian\Desktop\dds(2).scr
[2009/04/19 14:27:10 | 00,252,537 | ---- | M] () -- C:\Documents and Settings\Adrian\Desktop\dds.scr.part
[2009/04/19 14:27:10 | 00,000,000 | ---- | M] () -- C:\Documents and Settings\Adrian\Desktop\dds.scr
[2009/04/19 13:14:56 | 00,212,849 | ---- | M] () -- C:\Documents and Settings\Adrian\Desktop\hijackthis.zip
[2009/04/18 23:58:00 | 00,231,547 | ---- | M] () -- C:\WINDOWS\System32\nvModes.dat
[2009/04/18 23:11:07 | 00,306,417 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20090421-204033.backup
[2009/04/17 18:34:02 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/04/17 18:33:03 | 00,000,118 | ---- | M] () -- C:\WINDOWS\System32\MRT.INI
[2009/04/17 14:26:45 | 00,018,432 | ---- | M] () -- C:\Documents and Settings\Adrian\My Documents\Book1_fit_dis_bleep.xls
[2009/04/16 14:58:40 | 00,029,184 | ---- | M] () -- C:\Documents and Settings\Adrian\My Documents\Book1_o.xls
[2009/04/16 14:58:37 | 00,021,504 | ---- | M] () -- C:\Documents and Settings\Adrian\My Documents\Book1b.xls
[2009/04/16 14:58:35 | 00,022,016 | ---- | M] () -- C:\Documents and Settings\Adrian\My Documents\Book1r.xls
[2009/04/16 14:57:40 | 00,017,408 | ---- | M] () -- C:\Documents and Settings\Adrian\My Documents\Book1h.xls
[2009/04/12 23:02:40 | 00,078,513 | ---- | M] () -- C:\Documents and Settings\Adrian\My Documents\iobw10.jpg
[2009/04/12 23:00:12 | 00,073,322 | ---- | M] () -- C:\Documents and Settings\Adrian\My Documents\iobw4.jpg
[2009/04/12 22:58:22 | 00,077,769 | ---- | M] () -- C:\Documents and Settings\Adrian\My Documents\iobw7.jpg
[2009/04/12 22:33:33 | 00,111,241 | ---- | M] () -- C:\Documents and Settings\Adrian\My Documents\iobw14.jpg
[2009/04/12 01:00:28 | 00,313,476 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20090418-231107.backup
[2009/04/12 00:57:46 | 00,001,409 | ---- | M] () -- C:\WINDOWS\QTFont.for
[2009/04/10 23:44:39 | 00,024,072 | ---- | M] () -- C:\Documents and Settings\Adrian\My Documents\n1.rtf
[2009/04/10 23:44:30 | 00,005,784 | ---- | M] () -- C:\Documents and Settings\Adrian\My Documents\g2.rtf
[2009/04/07 00:57:24 | 24,921,544 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
[2009/04/06 15:32:54 | 00,038,496 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/04/06 15:32:46 | 00,015,504 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/04/04 10:55:40 | 03,024,963 | ---- | M] () -- C:\Documents and Settings\Adrian\Desktop\AuctioneerSuite-5.3.4105.zip
[2009/04/02 13:48:13 | 00,145,451 | ---- | M] () -- C:\Documents and Settings\Adrian\My Documents\3399097433_4302ba4ea4.jpg
[2009/04/01 23:12:28 | 01,199,889 | ---- | M] () -- C:\Documents and Settings\Adrian\My Documents\FoolsGroveDelve.pdf
[2009/03/31 18:28:05 | 00,460,838 | ---- | M] () -- C:\Documents and Settings\Adrian\My Documents\58.jpg
[2009/03/27 16:58:38 | 01,203,922 | ---- | M] () -- C:\WINDOWS\System32\dllcache\sysmain.sdb
[2009/03/25 11:06:30 | 00,040,552 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfesmfk.sys
[2009/03/25 11:06:28 | 00,214,024 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfehidk.sys
[2009/03/25 11:06:28 | 00,079,880 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfeavfk.sys
[2009/03/25 11:06:28 | 00,035,272 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfebopk.sys
[2009/03/25 11:05:54 | 00,034,216 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mferkdk.sys
< End of report >

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

OTViewIt Extras logfile created on: 4/21/2009 10:34:27 PM - Run 5
OTViewIt by OldTimer - Version 1.0.21.0 Folder = C:\Documents and Settings\Adrian\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.57 Gb Available Physical Memory | 78.59% Memory free
3.85 Gb Paging File | 3.58 Gb Available in Paging File | 93.06% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 68.36 Gb Total Space | 23.79 Gb Free Space | 34.80% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: VALINDRA
Current User Name: Adrian
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled"=1
"UpdatesDisableNotify"=0
"AntiVirusOverride"=0
"FirewallOverride"=0
"AntiVirusDisableNotify"=0
"FirewallDisableNotify"=0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"EnableFirewall"=0
"DoNotAllowExceptions"=0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[2008/04/14 10:12:34 | 00,141,312 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
[2008/04/14 04:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
[2008/04/14 10:12:34 | 00,141,312 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
[2007/02/08 16:44:51 | 00,784,032 | ---- | M] (Blizzard Entertainment) -- C:\Program Files\World of Warcraft\WoW-2.0.3-enUS-downloader.exe:*:Enabled:Blizzard Downloader
[2007/02/08 16:55:19 | 00,771,473 | ---- | M] (Blizzard Entertainment) -- C:\Program Files\World of Warcraft\WoW-2.0.3.6299-to-2.0.6.6337-enUS-downloader.exe:*:Enabled:Blizzard Downloader
[2007/02/14 09:37:07 | 00,771,373 | ---- | M] (Blizzard Entertainment) -- C:\Program Files\World of Warcraft\WoW-2.0.6.6337-to-2.0.7.6383-enUS-downloader.exe:*:Enabled:Blizzard Downloader
[2007/02/16 06:58:28 | 00,771,353 | ---- | M] (Blizzard Entertainment) -- C:\Program Files\World of Warcraft\WoW-2.0.7.6383-to-2.0.8.6403-enUS-downloader.exe:*:Enabled:Blizzard Downloader
[2007/03/07 15:34:43 | 00,771,362 | ---- | M] (Blizzard Entertainment) -- C:\Program Files\World of Warcraft\WoW-2.0.8.6403-to-2.0.10.6448-enUS-downloader.exe:*:Enabled:Blizzard Downloader
[2007/04/04 13:32:22 | 00,771,411 | ---- | M] (Blizzard Entertainment) -- C:\Program Files\World of Warcraft\WoW-2.0.10.6448-to-2.0.12.6546-enUS-downloader.exe:*:Enabled:Blizzard Downloader
[2009/02/12 20:30:10 | 02,172,400 | ---- | M] (Blizzard Entertainment) -- C:\Program Files\World of Warcraft\BackgroundDownloader.exe:*:Enabled:Blizzard Downloader
[2008/04/14 10:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger
[2008/05/11 21:19:30 | 05,423,104 | ---- | M] (http://www.emule-project.net) -- C:\Program Files\eMule\emule.exe:*:Enabled:eMule
[2008/03/07 22:44:00 | 00,254,976 | ---- | M] (Azureus Inc) -- C:\Program Files\Azureus\Azureus.exe:*:Enabled:Azureus
[2008/04/14 04:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
[2009/01/09 10:31:16 | 02,482,848 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent

========== (O18) Protocol Handlers ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
ipp: [HKLM - No CLSID value]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2003/07/11 01:25:22 | 00,842,816 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL ipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAMON.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
msdaipp: [HKLM - No CLSID value]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2003/07/11 01:25:22 | 00,842,816 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL msdaipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAMON.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2003/07/11 01:25:22 | 00,842,816 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL msdaipp\oledb:{E1D2BF40-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAIPP.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2004/03/22 18:58:02 | 08,140,480 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (mso-offdap11:{32505114-5902-49B2-880A-1F7738E5A384} (HKLM) [Data Page Plugable Protocal mso-offdap11 Handler])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2009/02/13 11:44:56 | 00,150,032 | ---- | M] () c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (sacore:{5513F07E-936B-4E52-9B00-067394E91CC5} (HKLM) [McAfee SACore Protocol Handler])

========== (O18) Protocol Filters ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\] - Protocol Filters
[2003/07/14 21:45:12 | 00,039,488 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL text/xml:{807553E5-5146-11D5-A672-00B0D022E945} (HKLM) [Reg Error: Value does not exist or could not be read.]

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"_{E1A63F75-1F72-4450-980D-434496FFC646}"=Corel Painter Essentials 4
"{06BE8AFD-A8E2-4B63-BAE7-287016D16ACB}"=mSSO
"{075473F5-846A-448B-BCB3-104AA1760205}"=Sonic RecordNow Data
"{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}"=mLogView
"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}"=Sonic DLA
"{13F3917B56CD4C25848BDC69916971BB}"=DivX Converter
"{18D10072035C4515918F7E37EAFAACFC}"=AutoUpdate
"{1DDF840B-A50A-491E-BF44-6D6964C451A8}"=VGA USB Camera
"{21657574-BD54-48A2-9450-EB03B2C7FC29}"=Sonic MyDVD LE
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}"=Google Toolbar for Internet Explorer
"{23FB368F-1399-4EAC-817C-4B83ECBE3D83}"=mProSafe
"{2BA00471-0328-3743-93BD-FA813353A783}"=Microsoft .NET Framework 3.0 Service Pack 1
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}"=Sonic Update Manager
"{3248F0A8-6813-11D6-A77B-00B0D0150060}"=J2SE Runtime Environment 5.0 Update 6
"{3248F0A8-6813-11D6-A77B-00B0D0150100}"=J2SE Runtime Environment 5.0 Update 10
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}"=WebFldrs XP
"{3E9D596A-61D4-4239-BD19-2DB984D2A16F}"=mIWA
"{3FC7CBBC4C1E11DCA1A752EA55D89593}"=DivX Version Checker
"{49D687E5-6784-431B-A0A2-2F23B8CC5A1B}"=mHlpDell
"{4F1DA6BF-3614-48A1-9970-9E90F646789E}"=Ulead VideoStudio 8.0 SE DVD
"{63DB9CCD-2B56-4217-9A3D-507AC78320CA}"=mWMI
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}"=PowerDVD
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}"=MSXML 4.0 SP2 Parser and SDK
"{7299052b-02a4-4627-81f2-1818da5d550d}"=Microsoft Visual C++ 2005 Redistributable
"{767CC44C-9BBC-438D-BAD3-FD4595DD148B}"=VC80CRTRedist - 8.0.50727.762
"{789289CA-F73A-4A16-A331-54D498CE069F}"=Ventrilo Client
"{7B63B2922B174135AFC0E1377DD81EC2}"=DivX Codec
"{7F142D56-3326-11D5-B229-002078017FBF}"=Modem Helper
"{8ADFC4160D694100B5B8A22DE9DCABD9}"=DivX Player
"{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}"=mPfMgr
"{90B0D222-8C21-4B35-9262-53B042F18AF9}"=mPfWiz
"{91CA0409-6000-11D3-8CFE-0150048383C9}"=Microsoft Office Small Business Edition 2003
"{929CE49F-1CA7-4CF3-A9A1-6D757443C63F}"=Microsoft Games for Windows - LIVE Redistributable
"{94658027-9F16-4509-BBD7-A59FE57C3023}"=mZConfig
"{974C4B12-4D02-4879-85E0-61C95CC63E9E}"=Fallout 3
"{9C9D0F85-5658-4A5E-95A9-65F7DB2916EE}"=Broadcom 440x 10/100 Integrated Controller
"{9CC89556-3578-48DD-8408-04E66EBEF401}"=mXML
"{A0F925BF-5C55-44C2-A4E7-5A4C59791C29}"=mDriver
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}"=SigmaTel Audio
"{A654A805-41D9-40C7-AA46-4AF04F044D61}"=Adobe® Photoshop® Album Starter Edition 3.2
"{A96E97134CA649888820BCDE5E300BBD}"=H.264 Decoder
"{AAC389499AEF40428987B3D30CFC76C9}"=MKV Splitter
"{AB708C9B-97C8-4AC9-899B-DBF226AC9382}"=Sonic Audio module
"{AC76BA86-7AD7-1033-7B44-A81200000003}"=Adobe Reader 8.1.2
"{AEF9DC35ADDF4825B049ACBFD1C6EB37}"=AAC Decoder
"{B12665F4-4E93-4AB4-B7FC-37053B524629}"=Sonic RecordNow Copy
"{B13A7C41581B411290FBC0395694E2A9}"=DivX Converter
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1"=Spybot - Search & Destroy
"{B508B3F1-A24A-32C0-B310-85786919EF28}"=Microsoft .NET Framework 2.0 Service Pack 1
"{B7050CBDB2504B34BC2A9CA0A692CC29}"=DivX Web Player
"{BAF78226-3200-4DB4-BE33-4D922A799840}"=Windows Presentation Foundation
"{C5074CC4-0E26-4716-A307-960272A90040}"=QuickSet
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}"=Microsoft .NET Framework 1.1
"{CB49B376-1136-44B4-83FA-036334B59937}"=OLYMPUS Master 2
"{D271DAE0-8D68-4C97-8356-A126D48A1D8C}"=Ulead Photo Explorer 8.0 SE Basic
"{DDDE47E5-C711-4D17-9FA6-E3D7C340192A}"=OLYMPUS muvee theaterPack
"{E1A63F75-1F72-4450-980D-434496FFC646}"=Corel Painter Essentials 4
"{E81667C6-2856-46D6-ABEA-6A2F42166779}"=mCore
"{F07B861C-72B9-40A4-8B1A-AAED4C06A7E8}"=QuickTime
"{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}"=mMHouse
"{F54AC413-D2C6-4A24-B324-370C223C6250}"=Adobe Photoshop Elements 6.0
"{F6090A17-0967-4A8A-B3C3-422A1B514D49}"=mDrWiFi
"{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}"=mWlsSafe
"{FCD9CD52-7222-4672-94A0-A722BA702FD0}"=Dell Resource CD
"3635FC5A3FE7DACCEF2123BDBDA808BA811B977B"=Windows Driver Package - Ricoh Company Memorystick Host Controller (07/09/2005 1.00.01.12)
"452416B030C25BAA383F3DA368FECD5D48FAE727"=Windows Driver Package - Ricoh Company xD-Picture Card/SmartMedia Host Controller (07/14/2005 1.00.02.04)
"AD&D Core Rules 2.0 Expansion"=Advanced Dungeons & Dragons Core Rules 2.0 Expansion
"Adobe Flash Player ActiveX"=Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin"=Adobe Flash Player 10 Plugin
"Adobe Photoshop Elements 6"=Adobe Photoshop Elements 6.0
"Adobe® Photoshop® Album Starter Edition 3.2"=Adobe® Photoshop® Album Starter Edition 3.2
"AGEIA PhysX v2.4.4"=AGEIA PhysX v2.4.4
"Azureus Vuze"=Azureus Vuze
"Caligari trueSpace7.6_is1"=Uninstall trueSpace7.6
"Campaign Mapper"=Campaign Mapper
"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_14F100C3"=Conexant HDA D110 MDC V.92 Modem
"Combined Community Codec Pack_is1"=Combined Community Codec Pack 2008-09-21 16:18
"Diablo II"=Diablo II
"DivX Plus DirectShow Filters"=DivX Plus DirectShow Filters
"DVD Shrink_is1"=DVD Shrink 3.2
"eMule"=eMule
"Evil Genius_is1"=Evil Genius
"F631A62FA5E06534A0FE3637D75AAA5B1D3E4FB7"=Windows Driver Package - Ricoh Company MMC Host Controller (07/14/2005 1.00.00.06)
"ffvfw"=ffvfw (uninstall only)
"HijackThis"=HijackThis 1.99.1
"Homeworld2"=Homeworld2
"IDNMitigationAPIs"=Microsoft Internationalized Domain Names Mitigation APIs
"ie7"=Windows Internet Explorer 7
"InstallShield_{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}"=PowerDVD
"Malwarebytes' Anti-Malware_is1"=Malwarebytes' Anti-Malware
"Manual video for trueSpace7.6_is1"=Manual video for trueSpace7.6
"Microsoft .NET Framework 1.1 (1033)"=Microsoft .NET Framework 1.1
"Mozilla Firefox (3.0.8)"=Mozilla Firefox (3.0.8)
"MSC"=McAfee SecurityCenter
"MSCompPackV1"=Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping"=Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers"=NVIDIA Drivers
"Pen Tablet Driver"=Pen Tablet
"ProInst"=Intel® PROSet/Wireless Software
"RealPlayer 6.0"=RealPlayer
"Sam and Max - Season One"=Sam and Max - Season One 1.0
"ST6UNST #1"=NSRCG
"SynTPDeinstKey"=Synaptics Pointing Device Driver
"Windows Media Format Runtime"=Windows Media Format 11 runtime
"Windows Media Player"=Windows Media Player 11
"Windows XP Service Pack"=Windows XP Service Pack 3
"WinRAR archiver"=WinRAR archiver
"WMFDist11"=Windows Media Format 11 runtime
"wmp11"=Windows Media Player 11
"World of Warcraft"=World of Warcraft
"Wudf01000"=Microsoft User-Mode Driver Framework Feature Pack 1.0
"XpsEPSC"=XML Paper Specification Shared Components Pack 1.0

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"I-Doser v4"=I-Doser v4

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1957994488-630328440-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"I-Doser v4"=I-Doser v4

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 12/12/2008 9:45:38 AM | Computer Name = VALINDRA | Source = Application Hang | ID = 1002
Description = Hanging application realplay.exe, version 11.0.0.446, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 12/17/2008 11:46:27 PM | Computer Name = VALINDRA | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.8.20061.1023, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 12/21/2008 6:09:43 AM | Computer Name = VALINDRA | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 7.0.6000.16762, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 12/29/2008 9:59:55 AM | Computer Name = VALINDRA | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The server name or address could not be resolved

Error - 12/30/2008 7:13:26 AM | Computer Name = VALINDRA | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The server name or address could not be resolved

Error - 2/14/2009 7:47:17 AM | Computer Name = VALINDRA | Source = Application Hang | ID = 1002
Description = Hanging application rundll32.exe, version 5.1.2600.5512, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 2/14/2009 7:47:28 AM | Computer Name = VALINDRA | Source = Application Hang | ID = 1001
Description = Fault bucket 734562961.

Error - 2/26/2009 8:23:19 AM | Computer Name = VALINDRA | Source = McLogEvent | ID = 5051
Description = A thread in process C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe took
longer than 90000 ms to complete a request. The process will be terminated. Thread
id : 1288 (0x508) Thread address : 0x7C90E4F4 Thread message : Build VSCORE.14.0.0.405
/ 5300.2777 Object being scanned = \Device\CdRom0\setup.exe by D:\autorun\autorun_inst.exe

4(0)(0) 4(0)(0) 7200(0)(0) 7595(0)(0) 7005(0)(0) 7004(0)(0) 5006(0)(0) 5004(0)(0)


Error - 3/8/2009 7:44:10 AM | Computer Name = VALINDRA | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.0.3334, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 3/13/2009 9:11:13 AM | Computer Name = VALINDRA | Source = Application Error | ID = 1000
Description = Faulting application McNASvc.exe, version 3.3.104.0, faulting module
ntdll.dll, version 5.1.2600.5512, fault address 0x000118e9.

[ System Events ]
Error - 4/21/2009 8:05:06 AM | Computer Name = VALINDRA | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service McAfee SiteAdvisor
Service with arguments "" in order to run the server: {5A90F5EE-16B8-4C2A-81B3-FD5329BA477C}

Error - 4/21/2009 8:05:06 AM | Computer Name = VALINDRA | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service McAfee SiteAdvisor
Service with arguments "" in order to run the server: {5A90F5EE-16B8-4C2A-81B3-FD5329BA477C}

Error - 4/21/2009 8:05:06 AM | Computer Name = VALINDRA | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service McAfee SiteAdvisor
Service with arguments "" in order to run the server: {5A90F5EE-16B8-4C2A-81B3-FD5329BA477C}

Error - 4/21/2009 8:05:06 AM | Computer Name = VALINDRA | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service McAfee SiteAdvisor
Service with arguments "" in order to run the server: {5A90F5EE-16B8-4C2A-81B3-FD5329BA477C}

Error - 4/21/2009 8:05:21 AM | Computer Name = VALINDRA | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service McAfee SiteAdvisor
Service with arguments "" in order to run the server: {5A90F5EE-16B8-4C2A-81B3-FD5329BA477C}

Error - 4/21/2009 8:05:21 AM | Computer Name = VALINDRA | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service McAfee SiteAdvisor
Service with arguments "" in order to run the server: {5A90F5EE-16B8-4C2A-81B3-FD5329BA477C}

Error - 4/21/2009 8:05:21 AM | Computer Name = VALINDRA | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service McAfee SiteAdvisor
Service with arguments "" in order to run the server: {5A90F5EE-16B8-4C2A-81B3-FD5329BA477C}

Error - 4/21/2009 8:05:21 AM | Computer Name = VALINDRA | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service McAfee SiteAdvisor
Service with arguments "" in order to run the server: {5A90F5EE-16B8-4C2A-81B3-FD5329BA477C}

Error - 4/21/2009 8:05:21 AM | Computer Name = VALINDRA | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service McAfee SiteAdvisor
Service with arguments "" in order to run the server: {5A90F5EE-16B8-4C2A-81B3-FD5329BA477C}

Error - 4/21/2009 8:06:28 AM | Computer Name = VALINDRA | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}


< End of report >

#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:49 PM

Posted 21 April 2009 - 06:40 PM

Hi amelchio,

Sorry for the confusion in the last post. I hadn't meant to say Combofix and I certainly hadn't asked you to run it. That could have been dangerous and may have resulted in an unbootable computer.

However, the Combofix log shows that there is further malware in the PC so we are going to use
Combofix to tackle it.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\system32\sf87wuijndoio43j.dll
Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Diagnostic Manager"=-


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Posted Image
m0le is a proud member of UNITE

#12 amelchio

amelchio
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
    •  
  • Local time:01:49 AM

Posted 21 April 2009 - 10:39 PM

Hey again. May I present to you..... the combofix log.







ComboFix 09-04-21.A1 - Adrian 04/22/2009 13:29.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1617 [GMT 10:00]
Running from: c:\documents and settings\Adrian\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Adrian\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*
* Created a new restore point

FILE ::
c:\windows\system32\sf87wuijndoio43j.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\sf87wuijndoio43j.dll

.
((((((((((((((((((((((((( Files Created from 2009-03-22 to 2009-04-22 )))))))))))))))))))))))))))))))
.

2009-04-17 08:33 . 2009-04-17 08:33 118 ----a-w c:\windows\system32\MRT.INI
2009-04-17 07:11 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-17 07:11 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-17 07:11 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-17 07:11 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-17 07:11 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-17 07:11 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-17 07:11 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-17 07:11 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-17 07:11 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-17 07:10 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-17 07:10 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-11 14:57 . 2009-04-20 10:49 54156 ---ha-w c:\windows\QTFont.qfn
2009-04-11 14:57 . 2009-04-11 14:57 1409 ----a-w c:\windows\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-21 10:33 . 2009-04-21 10:31 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-21 10:33 . 2009-04-21 10:31 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-21 08:52 . 2009-04-21 08:52 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-04-21 03:48 . 2009-04-21 03:48 -------- d-----w c:\documents and settings\Adrian\Application Data\Malwarebytes
2009-04-21 03:48 . 2009-04-21 03:48 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-21 03:48 . 2009-04-21 03:48 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-21 03:39 . 2009-03-01 07:18 -------- d-----w c:\documents and settings\Adrian\Application Data\WTablet
2009-04-18 13:58 . 2007-02-07 03:38 231547 ----a-w c:\windows\system32\nvModes.dat
2009-04-18 04:53 . 2008-05-01 07:15 -------- d-----w c:\program files\McAfee
2009-04-17 10:00 . 2007-02-08 05:06 -------- d-----w c:\program files\World of Warcraft
2009-04-15 21:28 . 2007-12-13 13:30 -------- d-----w c:\documents and settings\Adrian\Application Data\Azureus
2009-04-09 13:55 . 2007-12-04 11:25 -------- d-----w c:\program files\eMule
2009-04-06 05:32 . 2009-04-21 03:48 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 05:32 . 2009-04-21 03:48 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-02 09:43 . 2008-08-03 07:31 -------- d-----w c:\program files\Diablo II
2009-03-25 01:06 . 2008-05-01 07:16 40552 ----a-w c:\windows\system32\drivers\mfesmfk.sys
2009-03-25 01:06 . 2008-05-01 07:16 79880 ----a-w c:\windows\system32\drivers\mfeavfk.sys
2009-03-25 01:06 . 2008-05-01 07:16 35272 ----a-w c:\windows\system32\drivers\mfebopk.sys
2009-03-25 01:06 . 2008-05-01 07:16 214024 ----a-w c:\windows\system32\drivers\mfehidk.sys
2009-03-25 01:05 . 2008-05-01 07:16 34216 ----a-w c:\windows\system32\drivers\mferkdk.sys
2009-03-21 14:50 . 2008-09-06 03:22 -------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2009-03-15 06:00 . 2009-03-15 04:17 -------- d-----w c:\program files\DivX
2009-03-15 05:59 . 2009-03-15 04:17 -------- d-----w c:\program files\Common Files\DivX Shared
2009-03-15 04:18 . 2009-03-15 04:18 -------- d-----w c:\documents and settings\Adrian\Application Data\DivX
2009-03-06 14:22 . 2004-08-04 10:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 12:44 . 2007-05-12 02:48 83728 -c--a-w c:\documents and settings\Adrian\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-03 12:29 . 2008-04-29 12:52 -------- d-----w c:\program files\IDoser v4
2009-03-03 00:18 . 2006-03-04 03:33 826368 ----a-w c:\windows\system32\wininet.dll
2009-03-01 08:29 . 2009-03-01 08:29 -------- d-----w c:\documents and settings\LocalService\Application Data\WTablet
2009-03-01 07:45 . 2009-03-01 07:45 -------- d-----w c:\program files\Corel
2009-03-01 07:45 . 2009-03-01 07:45 -------- d-----w c:\documents and settings\All Users\Application Data\Corel
2009-03-01 07:43 . 2009-03-01 07:43 -------- d-----w c:\program files\Common Files\Macrovision Shared
2009-03-01 07:37 . 2006-07-23 17:00 43528 ------w c:\windows\system32\drivers\pxhelp20.sys
2009-03-01 07:31 . 2007-12-25 07:34 43520 ----a-w c:\windows\system32\CmdLineExt03.dll
2009-03-01 07:17 . 2009-03-01 07:17 -------- d-----w c:\program files\Tablet
2009-02-28 14:03 . 2007-11-28 02:15 -------- d-----w c:\program files\Azureus
2009-02-26 12:23 . 2009-02-26 12:23 -------- d-----w c:\program files\Telltale Games
2009-02-20 18:09 . 2004-08-04 10:00 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2004-08-04 10:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-04 10:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-04 10:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-04 10:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2004-08-04 10:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 11:11 . 2004-08-04 10:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2005-03-30 01:21 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-04 10:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2005-03-30 01:01 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2004-08-04 10:00 56832 ----a-w c:\windows\system32\secur32.dll
2009-01-27 01:35 . 2009-03-01 07:38 129784 ------w c:\windows\system32\pxafs.dll
2009-01-27 01:35 . 2009-03-01 07:38 120056 ------w c:\windows\system32\pxcpyi64.exe
2009-01-27 01:35 . 2009-03-01 07:38 118520 ------w c:\windows\system32\pxinsi64.exe
2009-01-27 01:34 . 2009-01-27 01:34 90112 ----a-w c:\windows\system32\dpl100.dll
2009-01-27 01:34 . 2009-01-27 01:34 823296 ----a-w c:\windows\system32\divx_xx0c.dll
2009-01-27 01:34 . 2009-01-27 01:34 823296 ----a-w c:\windows\system32\divx_xx07.dll
2009-01-27 01:34 . 2009-01-27 01:34 815104 ----a-w c:\windows\system32\divx_xx0a.dll
2009-01-27 01:34 . 2009-01-27 01:34 802816 ----a-w c:\windows\system32\divx_xx11.dll
2009-01-27 01:34 . 2009-01-27 01:34 684032 ----a-w c:\windows\system32\DivX.dll
2008-12-20 21:22 . 2008-12-20 21:22 178384 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2007-10-10 12:14 . 2008-05-17 08:35 1098222708 -c--a-w c:\program files\source materials.gcf
2007-10-10 12:14 . 2008-05-17 08:38 1023142824 -c--a-w c:\program files\source sounds.gcf
2007-10-10 12:14 . 2008-05-17 08:37 471408852 -c--a-w c:\program files\source models.gcf
2007-10-10 12:14 . 2008-05-17 08:41 168173116 -c--a-w c:\program files\portal english.gcf
2007-10-10 12:14 . 2008-05-17 08:39 1033441492 -c--a-w c:\program files\portal content.gcf
2007-10-10 12:14 . 2008-05-17 08:33 306105372 -c--a-w c:\program files\source 2007 binaries.gcf
2007-10-10 12:14 . 2008-05-17 08:34 1032871080 -c--a-w c:\program files\source 2007 shared materials.gcf
2007-10-10 12:14 . 2008-05-17 08:35 2373924 -c--a-w c:\program files\source 2007 shared sounds.gcf
2007-10-10 12:14 . 2008-05-17 08:35 155492024 -c--a-w c:\program files\source 2007 shared models.gcf
2009-01-27 01:2009-01-27 01:34 34:38 . c:\program files\mozilla firefox\plugins\libdivx.dll
2009-01-27 01:2009-01-27 01:34 34:38 . c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-04-21_12.30.05 )))))))))))))))))))))))))))))))))))))))))
.
- 2004-08-04 10:00 . 2009-04-21 12:12 72496 c:\windows\system32\perfc009.dat
+ 2004-08-04 10:00 . 2009-04-22 03:24 72496 c:\windows\system32\perfc009.dat
- 2007-02-07 03:07 . 2009-04-21 12:08 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-02-07 03:07 . 2009-04-22 03:25 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2007-02-07 03:07 . 2009-04-21 12:08 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-02-07 03:07 . 2009-04-22 03:25 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-02-07 03:07 . 2009-04-21 12:08 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2007-02-07 03:07 . 2009-04-22 03:25 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2004-08-04 10:00 . 2009-04-22 03:24 444656 c:\windows\system32\perfh009.dat
- 2004-08-04 10:00 . 2009-04-21 12:12 444656 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"Diagnostic Manager"=c:\docume~1\Adrian\LOCALS~1\Temp\571544160.exe
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe"
"swg"=c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"Dell QuickSet"=c:\program files\Dell\QuickSet\quickset.exe
"dla"=c:\windows\system32\dla\tfswctrl.exe
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe"
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe"
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" /runkey
"NVHotkey"=rundll32.exe nvHotkey.dll,Start
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"nwiz"=nwiz.exe /installquiet
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe"
"SigmatelSysTrayApp"=stsystra.exe
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_10\bin\jusched.exe"
"SynTPEnh"=c:\program files\Synaptics\SynTP\SynTPEnh.exe
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"Ulead AutoDetector"=c:\program files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.6.6337-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.6.6337-to-2.0.7.6383-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.7.6383-to-2.0.8.6403-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.8.6403-to-2.0.10.6448-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.10.6448-to-2.0.12.6546-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R3 cdiskdun;cdiskdun; [x]
R3 PAC7311;VGA USB Camera;c:\windows\system32\DRIVERS\PA707UCM.SYS [2006-04-13 155648]
S2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [2007-09-10 124832]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-02-11 210216]
S2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2007-09-07 1373480]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2c6b9f02-063b-11de-9696-00188bad5254}]
\Shell\AutoRun\command - wd_windows_tools\WDSetup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{64dc60ec-18ce-11de-96c9-00188bad5254}]
\Shell\AutoRun\command - explorer .
\Shell\mobile\command - E:\MobileLaunch.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f6737213-c700-11db-91fc-00188bad5254}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-03-14 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-05-01 23:53]

2009-02-28 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-05-01 23:53]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mWindow Title = Windows Internet Explorer provided by Comcast
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
FF - ProfilePath - c:\documents and settings\Adrian\Application Data\Mozilla\Firefox\Profiles\qw6rv3go.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJPI150_10.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPOJI610.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-22 13:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1957994488-630328440-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:5e,be,a8,7f,c2,28,2a,8f,45,a0,25,d6,72,e6,df,82,2e,d5,cd,7a,3e,ff,2f,
50,43,f3,a2,de,fc,84,e7,09,2e,3a,09,3f,ce,95,50,59,a8,59,19,6f,d5,65,d3,bc,\
"??"=hex:63,e0,5f,ee,4f,76,d2,38,c5,56,ab,83,a5,b1,e8,20

[HKEY_USERS\S-1-5-21-1957994488-630328440-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:25,b6,c0,6b,b9,1d,d3,a2,78,03,89,b6,30,ad,2e,af,17,0e,9d,bf,e0,
85,1d,18,cd,63,b5,38,9a,a5,97,b5,6f,a4,9b,05,8e,f4,6f,4e,77,48,4a,24,dc,85,\
"rkeysecu"=hex:57,94,b2,4d,4c,cd,fe,bf,32,a3,20,a6,ce,19,23,b7
.
Completion time: 2009-04-22 13:32
ComboFix-quarantined-files.txt 2009-04-22 03:32
ComboFix2.txt 2009-04-21 12:31

Pre-Run: 25,501,360,128 bytes free
Post-Run: 25,484,992,512 bytes free

240 --- E O F --- 2009-04-17 08:34

#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:49 PM

Posted 22 April 2009 - 09:44 AM

Hi amelchio,

Please go to Kaspersky website and perform an online antivirus scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.

Posted Image
m0le is a proud member of UNITE

#14 amelchio

amelchio
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
    •  
  • Local time:01:49 AM

Posted 23 April 2009 - 07:46 AM

hey again, the scan claims that 1 infected items still exist, But I'll let the log do the rest of the talking for me.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Thursday, April 23, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Thursday, April 23, 2009 11:23:49
Records in database: 2071806
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 86749
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 00:59:00


File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthoadeiqojwlrsnyaxagqfkurowpibeekk.dll.vir Infected: Trojan.Win32.Tdss.aalc 1

The selected area was scanned.

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:49 PM

Posted 23 April 2009 - 01:28 PM

Hi amelchio,

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\system32\MRT.INI
c:\docume~1\Adrian\LOCALS~1\Temp\571544160.exe

Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Diagnostic Manager"=-


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Posted Image
m0le is a proud member of UNITE
Back to Virus, Trojan, Spyware, and Malware Removal Assistance


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users


  1. BleepingComputer.com
  2. Security
  3. Virus, Trojan, Spyware, and Malware Removal Assistance
  4. Privacy Policy
  5. Rules ·